Find notable cyber news and cases, enriched with sources, timelines, and signals.

WAVESHAPER.V2 trojanized Axios npm packages

Malware Activity
First reported
Last updated
Happening score
H score 30
2 unique sources, 2 articles

Summary

Hide ▲

The WAVESHAPER.V2 implant was embedded in trojanized Axios npm package releases, creating downstream supply-chain risk for npm users. The malicious code was published after attackers used a remote access trojan to steal the maintainer's npm account credentials. The abuse covered Axios 1.14.1 and 0.30.4, widening exposure across direct and transitive dependencies. Because Axios is used at massive scale, the malware delivery could affect a broad JavaScript ecosystem.

Related Happenings

GitHub npm version 12 hardens installs and token management

Security Tool/Service
H score11 First: 09.07.2026 19:49 Last: 09.07.2026 19:49 Sources 1

About this happening: **GitHub** released **npm version 12**, making install-time scripts opt-in by default and tightening **package publishing** controls to reduce **supply-chain risk**. The update al...

Sapphire Sleet Mastra npm supply-chain campaign

Campaign
H score42 First: 20.06.2026 17:09 Last: 20.06.2026 17:09 Sources 1

About this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...

Npm v12 default-blocks install scripts, Git dependencies, and remote URLs

Security Tool/Service
H score11 First: 12.06.2026 16:00 Last: 12.06.2026 16:00 Sources 1

About this happening: GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...

IronWorm npm supply-chain infection and self-propagation

Malware Activity
H score15 First: 04.06.2026 18:25 Last: 04.06.2026 18:25 Sources 1

About this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...

Shai-Hulud worm clone activity on NPM

Malware Activity
H score69 First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Timeline

  1. 03.04.2026 14:04 2 articles · 3mo ago

    UNC1069 compromises Axios maintainer

    Initial Disclosure

    North Korean threat actors tracked as UNC1069 compromised the Axios npm package maintainer through highly targeted social engineering that used a cloned founder identity, a branded Slack workspace, and a fake Microsoft Teams update prompt. The access led to a remote access trojan, theft of npm account credentials, publication of trojanized Axios 1.14.1 and 0.30.4 releases containing WAVESHAPER.V2, and follow-on hardening steps that included resetting devices and credentials, setting up immutable releases, adopting OIDC flow for publishing, and updating GitHub Actions.

    Show sources