North Korean threat actors, UNC1069, executed a sophisticated social engineering campaign against Axios npm package maintainer Jason Saayman. This led to the deployment of a remote access trojan, the theft of npm account credentials, and the subsequent publication of two malicious Axios package versions (1.14.1 and 0.30.4) containing the WAVESHAPER.V2 implant.
Initial Access
Impersonated Founder Lure
confirmed
UNC1069 threat actors impersonated the founder of a legitimate, well-known company and invited Axios maintainer Jason Saayman to a fake, branded Slack workspace.
Defender cut points
Implement robust social engineering awareness training for all employees, especially those with high-value access.Enforce out-of-band verification for unexpected contact requests from individuals claiming to be high-profile figures.
