WAVESHAPER.V2 malware distributed via compromised Axios npm package attributed to UNC1069
Summary
Hide ▲
Show ▼
A financially motivated North Korean-aligned threat actor with the moniker UNC1069 compromised the npm account of the maintainer of the Axios library, a widely used HTTP client with approximately 100 million weekly downloads, to publish malicious versions containing the cross-platform WAVESHAPER.V2 malware. The malicious builds were available for only a few hours but were automatically pulled into downstream environments via CI/CD pipelines and dependency chains, exposing enterprises that never directly installed Axios. The malware implements anti-forensic cleanup mechanisms and leverages the build pipeline as the new front line for software supply chain compromise at scale.
Timeline
-
06.04.2026 15:46 1 articles · 5h ago
Axios npm package compromised to distribute WAVESHAPER.V2 malware via UNC1069
The npm account of Axios’s lead maintainer was compromised by threat actors aligned with UNC1069 to publish malicious versions of the Axios library containing the cross-platform WAVESHAPER.V2 malware. Malicious builds were distributed for a limited duration but were automatically pulled into downstream environments via CI/CD pipelines and dependency chains, exposing enterprises that never directly installed Axios. The malware includes anti-forensic cleanup routines and was designed for scale through software supply chain compromise.
Show sources
- ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More — thehackernews.com — 06.04.2026 15:46
Information Snippets
-
The threat actor compromised the npm account of Axios’s lead maintainer and published malicious versions of the package containing WAVESHAPER.V2 malware.
First reported: 06.04.2026 15:461 source, 1 articleShow sources
- ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More — thehackernews.com — 06.04.2026 15:46
-
Axios has nearly 100 million weekly downloads on npm, making downstream exposure via CI/CD pipelines and dependencies extensive and automated.
First reported: 06.04.2026 15:461 source, 1 articleShow sources
- ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More — thehackernews.com — 06.04.2026 15:46
-
The malware includes self-deleting anti-forensic cleanup routines, indicating an intentional, planned operation rather than opportunistic compromise.
First reported: 06.04.2026 15:461 source, 1 articleShow sources
- ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More — thehackernews.com — 06.04.2026 15:46
-
The activity has been attributed to UNC1069, assessed as financially motivated with ties to North Korea.
First reported: 06.04.2026 15:461 source, 1 articleShow sources
- ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More — thehackernews.com — 06.04.2026 15:46
-
Malicious builds were available for only a few hours but were still pulled into enterprise environments via build pipelines and downstream dependencies, complicating detection and containment.
First reported: 06.04.2026 15:461 source, 1 articleShow sources
- ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More — thehackernews.com — 06.04.2026 15:46