The NPM package Axios was compromised by a North Korean threat group (UNC1069) through a sophisticated slow-burn social engineering campaign targeting lead maintainer Jason Saayman. Attackers impersonated a company founder, built trust over two weeks via a convincing Slack workspace, then tricked Saayman into installing a RAT during a Microsoft Teams meeting — bypassing 2FA entirely. The malicious versions were removed within hours, but Axios receives over 100 million downloads per week. Security researchers note this attack is part of a broader industrialized campaign targeting high-access open source maintainers, with AI lowering the cost of building convincing personas and ClickFix-style delivery mechanisms making payload deployment easier. Experts warn this represents a permanent shift in the threat landscape, as compromising a single open source maintainer can yield write access to packages used by millions of organizations.
Sort: