Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Unveiling the WAVESHAPER.V2: A Sophisticated North Korean-Nexus Attack on Developer Environments



A highly sophisticated attack has been uncovered that targets developer environments worldwide, exploiting vulnerabilities in popular packages like axios. The WAVESHAPER.V2 backdoor campaign is attributed to the North Korea-nexus threat actor UNC1069, which highlights the dangers of supply chain attacks and the need for vigilance in developer environments.

  • WAVESHAPER.V2 malware campaign targets developer environments worldwide, attributed to North Korea-nexus threat actor UNC1069.
  • The malware features system information collection and enhanced command execution capabilities, building on the previously discovered WAVESHAPER malware.
  • The attack begins with an initial beaconing phase, followed by continuous polling for instructions via HTTP/HTTPS requests.
  • WAVESHAPER.V2 provides multiple commands to execute various tasks on infected systems, including 'runscript' for AppleScript payload execution or arbitrary shell commands.
  • Persistence is achieved through a hidden batch file and registry entry on Windows systems.
  • The attack highlights the vulnerability of supply chain attacks, using compromised packages like axios with a malicious backdoor.
  • Developers and organizations are advised to take immediate corrective action, including auditing dependency trees and implementing security measures.


    • In a disturbing turn of events, a highly sophisticated attack has been uncovered that targets developer environments worldwide. Dubbed as WAVESHAPER.V2, this malware campaign is attributed to the North Korea-nexus threat actor UNC1069, a group known for its financially motivated operations.

    According to recent data released by Google Security Operations (SecOps), the WAVESHAPER.V2 backdoor is a direct evolution of the previously discovered WAVESHAPER malware. While both versions share similar characteristics, such as dynamic C2 URL generation and polling behaviors, WAVESHAPER.V2 boasts additional features like system information collection and enhanced command execution capabilities.

    The attack begins with an initial beaconing phase, where the malicious payload communicates with its Command & Control (C2) server at 142.11.206.73. Following this, the malware continuously polls for instructions, pausing for 60 seconds to await a response from the C2 server. This communication occurs via HTTP/HTTPS requests.

    WAVESHAPER.V2 provides multiple commands to execute various tasks on infected systems. Some of these commands include 'kill,' 'rundir,' 'runscript,' and 'peinject.' The 'runscript' command is particularly noteworthy, as it allows the attacker to decode and execute an AppleScript payload or run arbitrary shell commands.

    On Windows systems, persistence is achieved through a hidden batch file and an entry in the registry that launches the batch file at logon. This ensures that even if the system is restarted or shut down, the malware remains active and continues to operate.

    The attack has significant implications for developers and organizations worldwide, as it highlights the vulnerability of supply chain attacks. The use of compromised packages like axios, which relies on popular open-source projects, exposes users to a wide range of threats. In this case, UNC1069 has targeted the axios package with a malicious version that includes the WAVESHAPER.V2 backdoor.

    To mitigate this risk, developers and organizations are advised to take immediate corrective action. This includes auditing dependency trees for compromised versions of axios, isolating affected hosts, rotating any potentially exposed secrets or credentials, and implementing strict version pinning and enhanced supply-chain monitoring.

    GTIG emphasizes that supply chain compromise is a particularly dangerous tactic, as it exploits the trust placed in reputable vendors and collaborative code-sharing communities. Defenders should pay close attention to these campaigns, and enterprises should initiate dedicated efforts to assess the existing impact, remediate compromised systems, and harden environments against future attacks.

    In conclusion, the WAVESHAPER.V2 attack serves as a stark reminder of the evolving threat landscape and the importance of vigilance in developer environments. As the threat actor UNC1069 continues to adapt its tactics, it is essential for organizations to prioritize security measures and stay informed about emerging threats like this one.

    Related Information:
  • https://www.ethicalhackingnews.com/articles/Unveiling-the-WAVESHAPERV2-A-Sophisticated-North-Korean-Nexus-Attack-on-Developer-Environments-ehn.shtml

  • https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package/

  • https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package

  • https://www.csoonline.com/article/4152696/attackers-trojanize-axios-http-library-in-highest-impact-npm-supply-chain-attack.html

  • https://www.sans.org/blog/axios-npm-supply-chain-compromise-malicious-packages-remote-access-trojan

  • https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html

  • https://malpedia.caad.fkie.fraunhofer.de/details/osx.waveshaper

  • https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering

  • https://cybersecuritynews.com/unc1069-hackers-attacking-finance-sector-with-new-tools/


    • Published: Tue Mar 31 19:00:09 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us