← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack | Google Cloud Blog
WHITE Threat Intelligence CyberHunter_NL 2026-04-01 Modified: 2026-05-01
48
IOCs
MEDIUM VOLUME
A North Korea-Nexus threat actor is targeting a popular JavaScript package, which is used by millions of users, to deliver malware on Windows, macOS, Linux and other operating systems, analysis shows.
unc1069iocswaveshapermonitorcompromisewindowsos versionfile systemenumerationreturnsthreat intelligencewaveshaper.v2javascriptapplescriptlinux
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
WAVESHAPER.V2 JavaScript AppleScript Linux WAVESHAPER
Indicators of Compromise (48)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL YARA domain email hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 04e3073b3cd5c5bfcde6f575ecf6e8c1 MD5 of 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 2026-04-01
FileHash-MD5 089e2872016f75a5223b5e02c184dfec MD5 of f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd 2026-04-01
FileHash-MD5 7658962ae060a222c0058cd4e979bfa1 2026-04-01
FileHash-MD5 7a9ddef00f69477b96252ca234fcbeeb MD5 of 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a 2026-04-01
FileHash-SHA1 13ab317c5dcab9af2d1bdb22118b9f09f8a4038e SHA1 of 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a 2026-04-01
FileHash-SHA1 978407431d75885228e0776913543992a9eb7cc4 SHA1 of f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd 2026-04-01
FileHash-SHA1 a90c26e7cbb3440ac1cad75cf351cbedef7744a8 SHA1 of 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 2026-04-01
FileHash-SHA256 58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668 2026-04-01
FileHash-SHA256 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 2026-04-01
FileHash-SHA256 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a 2026-04-01
FileHash-SHA256 e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 2026-04-01
FileHash-SHA256 ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c 2026-04-01
FileHash-SHA256 f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd 2026-04-01
FileHash-SHA256 fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf 2026-04-01
URL http://packages.npm.org/product0 2026-04-01
URL http://packages.npm.org/product1 2026-04-01
URL http://packages.npm.org/product2 2026-04-01
URL http://sfrclak.com:8000 2026-04-01
URL http://sfrclak.com:8000/6202033 2026-04-01
YARA 6119a9735c3f294183164833582a0c9f38b24d70 Detects PowerShell dropper associated with suspected UNC1069 and Axios npm package supply chain attack. Associated to WAVESHAPER.V2 2026-04-01
YARA c6f553ee31f7f9ed93bb69324fa64483173d046e Detects the obfuscated version of the JS NPM supply chain downloader using Base64 obfuscation and custom XOR. Associated with WAVESHAPER.V2 2026-04-01
domain package.md 2026-04-01
domain sfrclak.com 2026-04-01
email ifstap@proton.me 2026-04-01
hostname packages.npm.org 2026-04-01
FileHash-MD5 04e3073b3cd5c5bfcde6f575ecf6e8c1 MD5 of 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 2026-04-01
FileHash-MD5 089e2872016f75a5223b5e02c184dfec MD5 of f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd 2026-04-01
FileHash-MD5 7a9ddef00f69477b96252ca234fcbeeb MD5 of 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a 2026-04-01
FileHash-MD5 8c782b59a786f18520673e8d669e3b0a MD5 of e49c2732fb9861548208a78e72996b9c3c470b6b562576924bcc3a9fb75bf9ff 2026-04-01
FileHash-SHA1 07d889e2dadce6f3910dcbc253317d28ca61c766 2026-04-01
FileHash-SHA1 13ab317c5dcab9af2d1bdb22118b9f09f8a4038e SHA1 of 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a 2026-04-01
FileHash-SHA1 978407431d75885228e0776913543992a9eb7cc4 SHA1 of f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd 2026-04-01
FileHash-SHA1 a90c26e7cbb3440ac1cad75cf351cbedef7744a8 SHA1 of 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 2026-04-01
FileHash-SHA1 ae39c4c550ad656622736134035f17ca7a66a742 SHA1 of e49c2732fb9861548208a78e72996b9c3c470b6b562576924bcc3a9fb75bf9ff 2026-04-01
FileHash-SHA1 d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71 2026-04-01
FileHash-SHA256 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 2026-04-01
FileHash-SHA256 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a 2026-04-01
FileHash-SHA256 e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 2026-04-01
FileHash-SHA256 e49c2732fb9861548208a78e72996b9c3c470b6b562576924bcc3a9fb75bf9ff 2026-04-01
FileHash-SHA256 ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c 2026-04-01
FileHash-SHA256 f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd 2026-04-01
FileHash-SHA256 fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf 2026-04-01
URL http://sfrclak.com:8000 2026-04-01
URL http://sfrclak.com:8000/6202033 2026-04-01
domain callnrwise.com 2026-04-01
domain sfrclak.com 2026-04-01
email ifstap@proton.me 2026-04-01
email nrwise@proton.me 2026-04-01
References (1)
↗ https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package