A coordinated social engineering campaign linked to DPRK-nexus threat actors (UNC1069) has been targeting high-impact Node.js and npm maintainers, including the creators of Lodash, Fastify, Pino, and Undici, as well as Socket engineers. Attackers impersonate legitimate companies, build rapport over weeks, then lure targets into fake video calls where they are prompted to install malware or run terminal commands. The malware installs a remote access trojan that exfiltrates npm tokens, browser cookies, AWS credentials, and more — bypassing 2FA entirely. Multiple maintainers confirmed they were targeted using the same 'Openfort' persona used in the confirmed Axios compromise. Security researchers connect this to documented DPRK tooling including WAVESHAPER, HYPERCALL, and CHROMEPUSH. The strategic shift from targeting crypto founders to open source maintainers gives attackers write access to packages downloaded trillions of times annually, enabling supply chain attacks at massive scale.
Table of contents
High-Impact Node.js Maintainers Confirm They Were Targeted #How the Attack Works #A Known Playbook, Now Pointed at Open Source #Write Access to npm Is the Prize #2 Comments
Sort: