<div class="block-paragraph_advanced"><p>Written by: Austin Larsen, Dima Lenz, Adrian Hernandez, Tyler McLellan, Christopher Gardner, Ashley Zaya, Michael Rudden, Mon Liclican, Muhammad Umair</p> <hr/></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">Google Threat Intelligence Group (GTIG) is tracking an active software supply chain attack targeting the popular Node Package Manager (NPM) package "</span><a href="https://www.npmjs.com/package/axios" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">axios</span></a><span style="vertical-align: baseline;">." Between March 31, 2026, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named "</span><code style="vertical-align: baseline;">plain-crypto-js</code>"<span style="vertical-align: baseline;"> into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, and these packages typically have over 100 million and 83 million weekly downloads, respectively. This malicious dependency is an obfuscated dropper that deploys the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux.</span></p> <p><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">GTIG attributes this activity to </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering"><span style="text-decoration: underline; vertical-align: baseline;">UNC1069</span></a><span style="vertical-align: baseline;">, a financially motivated North Korea-nexus threat actor active since at least 2018, based on the use of </span><span style="vertical-align: baseline;">WAVESHAPER.V2</span><span style="vertical-align: baseline;">, an updated version of </span><a href="https://cloud.google.com/blog/topics/

Read Full Article at Mandiant Blog →