Google Threat Intelligence Group reports that malicious axios releases 1.14.1 and 0.30.4 introduced plain-crypto-js as a dependency, triggering a postinstall dropper that deployed WAVESHAPER.V2 backdoors across Windows, macOS, and Linux. GTIG attributes the activity to UNC1069, a financially motivated North Korea-nexus actor, based on WAVESHAPER.V2 lineage and infrastructure overlaps with earlier UNC1069 activity. The dropper used obfuscated strings, platform checks, and OS-specific execution paths, including a renamed PowerShell binary on Windows, an AppleScript-launched Mach-O payload on macOS, and a Python backdoor on Linux. The implants beaconed over HTTP to sfrclak[.]com:8000 with base64-encoded JSON and a distinctive fake IE8 User-Agent, supporting host reconnaissance, filesystem enumeration, command execution, and follow-on payload delivery. The compromise is significant because a brief malicious publish window in a widely used npm package could expose developer and enterprise environments to credential theft and downstream supply-chain attacks.