WAVESHAPER.V2 / UNC1069 (Sapphire Sleet) - compromised npm package delivering multi-platform RAT via account takeover

Note: This report is updated by a verification record

The package exhibits multiple behaviors indicative of malicious intent. It downloads and executes payloads from remote URLs on macOS, Windows, and Linux (Evidences 4, 5, 6, 7). It also executes arbitrary commands based on the OS platform (Evidence 8) and attempts to delete itself and other files (Evidence 9). YARA rules further confirm the use of PowerShell with hidden commands, nohup with bash, and modification of file permissions to be group writeable and executable (Evidences 0, 1, 2). The combination of these factors strongly suggests that the package is malicious.