WAVESHAPER.V2
WAVESHAPER.V2 is a cross-platform remote access trojan/backdoor delivered in the 2026 npm supply-chain compromise of the Axios package. Poisoned Axios versions 1.14.1 and 0.30.4 pulled in the malicious dependency plain-crypto-js, whose postinstall dropper deployed WAVESHAPER.V2 on Windows, macOS, and Linux. Reporting describes platform-specific variants including a native C++ Mach-O binary for macOS, a PowerShell-based Windows variant, and a Python-based Linux variant. The malware is described as an updated/direct evolution of the earlier WAVESHAPER backdoor previously attributed to UNC1069.
Documented capabilities include reconnaissance and system telemetry collection such as hostname, username, boot time, time zone, OS version, and running process lists; system and file-system enumeration including recursive directory listing with detailed metadata; arbitrary command execution; retrieval and execution of additional payloads; and, on Windows, in-memory Portable Executable injection. WAVESHAPER.V2 communicates with command-and-control infrastructure using Base64-encoded JSON and is reported to beacon every 60 seconds. It accepts its C2 URL via command-line arguments and shares polling behavior and an uncommon User-Agent string with the earlier WAVESHAPER family.
On Windows, reported persistence mechanisms include creation of a hidden batch file at %PROGRAMDATA%\system.bat and a Run key named MicrosoftUpdate under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Reported filesystem artifacts associated with the campaign include /Library/Caches/com.apple.act.mond on macOS, %PROGRAMDATA%\wt.exe, %PROGRAMDATA%\system.bat, %TEMP%\6202033.vbs, %TEMP%\6202033.ps1 on Windows, and /tmp/ld.py on Linux. Known command-and-control infrastructure mentioned in the reporting includes sfrclak[.]com resolving to 142.11.206.73, with traffic also noted on port 8000.
Google Threat Intelligence Group and related reporting attribute the activity to UNC1069, a financially motivated North Korea-aligned/North Korea-nexus threat actor active since at least 2018, based on WAVESHAPER.V2 lineage, infrastructure overlap, and operational similarities. The broader campaign is tied to software supply-chain compromise and has been discussed in the context of targeting developer environments, CI/CD systems, enterprise software environments, and organizations including the cryptocurrency sector.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Google described WAVESHAPER.V2 as a “fully functional RAT”, capable of reconnaissance (extracting telemetry), command execution (in-memory Portable Executable injection and arbitrary shell commands), and system enumeration (returns detailed metadata).
This includes the poisoning of the popular Axios npm package to distribute an implant called WAVESHAPER.V2 after taking control of the package maintainer's npm account via a tailored social engineering campaign.
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesafter taking control of the package maintainer's npm account via a tailored social engineering campaign
GTIG said it was monitoring an “active software supply chain attack” targeting Axios... They tried to introduce a malicious dependency named "plain-crypto-js"
They tried to introduce a malicious dependency named "plain-crypto-js", an obfuscated dropper that deploys the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux operating systems
Execution
8 techniquescapable of... command execution... and arbitrary shell commands
The shell execution command expects a script and script parameters from C2; if no script is provided, the parameter is executed as a PowerShell command...
Command Execution: Supports multiple execution methods, including in-memory Portable Executable (PE) injection and arbitrary shell commands.
macOS: Downloads a C++ Mach-O binary, stores it in /Library/Caches/com.apple.act.mond, and executes it via /bin/zsh.
Windows: Copies PowerShell to %PROGRAMDATA%\wt.exe, disguising it as Windows Terminal, and executes a secondary script via VBScript with registry-based persistence.
Linux: Retrieves a Python-based implant to /tmp/ld.py and executes it in the background using nohup.
The artificial intelligence (AI) company said a GitHub Actions workflow it uses as part of its macOS app-signing process downloaded and executed Axios version 1.14.1.
Persistence
2 techniquesafter taking control of the package maintainer's npm account via a tailored social engineering campaign
Privilege Escalation
3 techniquescapable of... command execution (in-memory Portable Executable injection and arbitrary shell commands)
after taking control of the package maintainer's npm account via a tailored social engineering campaign
Stealth
6 techniquesa malicious dependency named "plain-crypto-js", an obfuscated dropper that deploys the WAVESHAPER.V2 backdoor
capable of... command execution (in-memory Portable Executable injection and arbitrary shell commands)
Within seconds of execution, the dropper deletes the setup script, removes the postinstall hook, and replaces modified package files with benign decoys.
after taking control of the package maintainer's npm account via a tailored social engineering campaign
When developers or automated systems executed npm install axios, npm resolved and installed the injected dependency, triggering execution through the postinstall lifecycle hook.
Command Execution: Supports multiple execution methods, including in-memory Portable Executable (PE) injection...
Credential Access
1 techniqueDiscovery
3 techniquesReconnaissance: Extracts system telemetry, including hostname, username, boot time, time zone, OS version, and detailed running process lists.
capable of reconnaissance (extracting telemetry)... and system enumeration (returns detailed metadata)
Supported command capabilities include: rundir: Enumerate directories and files
Collection
1 techniqueCommand and Control
3 techniquesWAVESHAPER.V2 communicates using JSON... both versions accept their C2 URL dynamically via command-line arguments, share identical C2 polling behaviors and an uncommon User-Agent string...
The dropper dynamically retrieved second-stage payloads tailored to the victim’s operating system.
Google described WAVESHAPER.V2 as a “fully functional RAT”, capable of reconnaissance, command execution... and system enumeration
IOCs tracked for this family
10 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A cross-platform backdoor delivered via the malicious plain-crypto-js dependency in poisoned Axios package versions, capable of infecting Windows, macOS, and Linux systems.
An implant distributed via a compromised Axios npm package following maintainer account takeover through social engineering.
A cross-platform remote access trojan framework delivered via a malicious Axios npm dependency. It supports persistence, reconnaissance, beaconing to C2 every 60 seconds, remote command execution, payload delivery, directory enumeration, and self-termination across macOS, Windows, and Linux.
An implant embedded in trojanized Axios npm package versions 1.14.1 and 0.30.4 following a supply chain compromise, used as part of the malicious package payload.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.