A researcher says malicious npm packages
[email protected] and [email protected] were published briefly and used to deploy WAVESHAPER.V2, a cross-platform RAT attributed to UNC1069. The malware was delivered via a post-install hook, meaning no user clicks were required beyond a normal npm install, and it’s believed at least one security council member’s key may have been exfiltrated during the ~3-hour window.