North Korean-linked threat actors tracked as UNC1069 used a highly targeted social engineering campaign to steal the Axios maintainer’s credentials and publish trojanized versions of the package. The compromise deployed a remote access implant called WAVESHAPER.V2 and underscores the massive supply-chain risk posed by attacks on popular open-source maintainers. #UNC1069 #WAVESHAPERV2
Keypoints
- Attackers impersonated a legitimate company’s founder, created a cloned Slack workspace, and scheduled a fake Microsoft Teams meeting.
- A fake update prompt during the call installed a remote access trojan that allowed credential theft.
- Two trojanized Axios releases (1.14.1 and 0.30.4) contained the WAVESHAPER.V2 implant.
- The campaign’s tradecraft overlaps with UNC1069/BlueNoroff and the GhostCall activity documented by Kaspersky and Huntress.
- The maintainer recommended mitigations include resetting devices and credentials, immutable releases, OIDC publishing, and GitHub Actions best practices.
Read More: https://thehackernews.com/2026/04/unc1069-social-engineering-of-axios.html