North Korea Supply Chain 2026: 1,700 Malicious Packages
2026-04-10 • Decryption Digest •
https://www.decryptiondigest.com/blog/north-korea-supply-chain-1700-packages
North Korea-linked UNC1069 expanded Contagious Interview supply-chain activity across npm, PyPI, Go, Rust, and PHP, with Socket tracking more than 1,700 malicious packages tied to the operation. The same broader activity included a separate Axios maintainer compromise in which social engineering led to stolen npm publishing access and backdoored Axios releases that pulled in a malicious `plain-crypto-js` dependency. The payload chain deployed WAVESHAPER.V2, a cross-platform RAT targeting developer and CI/CD environments for cloud credentials, SSH keys, Kubernetes tokens, and cryptocurrency wallet data. The report recommends treating affected Axios installs during the March 31 exposure window as fully compromised and hunting for named WAVESHAPER.V2 artifacts plus C2 `sfrclak.com` and `142.11.206.73`.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | sfrclak.com | 2026-03-30 | 2026-06-08 |
| IPv4 | 142.11.206.73 | 2026-03-30 | 2026-05-19 |