Ethical Hacking News
Axios Supply Chain Attack: A Masterclass in Social Engineering highlights the shocking revelation that a North Korean threat actor group targeted the maintainership of the popular npm package, using tailored social engineering tactics to gain access to sensitive information. Learn more about this sophisticated attack and its implications for the broader JavaScript ecosystem.
A North Korean threat actor group (UNC1069) orchestrated a social engineering campaign that compromised the maintainership of the Axios npm package. The attackers used tailored phishing tactics to gain access to the maintainer's Slack workspace and deploy a remote access Trojan (RAT). The attack was highly sophisticated, with attackers cloning the company's founders' likeness and presenting fake error messages to the maintainer. The incident highlights the growing threat landscape for open-source project maintainers and the need for robust cybersecurity measures. The Axios package is widely used (nearly 100 million weekly downloads) and makes it a prime target for supply chain attacks.
In a shocking revelation that has sent ripples throughout the cybersecurity community, it has been revealed that a highly sophisticated social engineering campaign orchestrated by North Korean threat actors tracked as UNC1069 compromised the maintainership of the Axios npm package. The attack, which was specifically targeted at a single individual, used tailored phishing tactics to gain access to the maintainer's Slack workspace and subsequently deploy a remote access Trojan (RAT) that allowed the attackers to steal sensitive information.
According to Jason Saayman, the maintainer of the affected Axios version, the attackers had cloned the company's founders' likeness as well as the company itself, making it appear legitimate. They then invited Saayman to a real Slack workspace, which was branded to look like the company's CI and named in a plausible manner. The attackers also scheduled a meeting with him on Microsoft Teams, where they presented a fake error message that stated "something on my system was out of date." As soon as the update was triggered, the attack led to the deployment of the RAT.
The attack chain described by Saayman shares extensive overlaps with tradecraft associated with UNC1069 and BlueNoroff. In fact, details of the campaign were extensively documented by Huntress and Kaspersky last year, with the latter tracking it under the moniker GhostCall. Historically, these specific individuals have targeted crypto founders, VCs, public people, and now, open-source project maintainers.
The attack highlights the growing threat landscape for open-source project maintainers, who are increasingly becoming targets of sophisticated attacks that allow threat actors to target downstream users at scale by publishing poisoned versions of highly popular packages. In this case, Axios attracts nearly 100 million weekly downloads and is used heavily across the JavaScript ecosystem, making it a prime target for such supply chain attacks.
According to security researcher Taylor Monahan, "Everything was extremely well coordinated, looked legit, and was done in a professional manner." The attackers' use of social engineering tactics demonstrates a high level of sophistication and expertise. As preventitive measures, Saayman has outlined several changes, including resetting all devices and credentials, setting up immutable releases, adopting OIDC flow for publishing, and updating GitHub Actions to adopt best practices.
This incident serves as a stark reminder of the importance of robust cybersecurity measures in place to protect open-source projects and their maintainers. It also underscores the need for greater awareness and education among developers about the potential risks associated with using third-party libraries and dependencies.
The attack has significant implications for the broader JavaScript ecosystem, highlighting the property of how dependency resolution works today. As Ahmad Nassri of Socket noted, "A package as widely used as Axios being compromised shows how difficult it is to reason about exposure in a modern JavaScript environment."
Related Information:
https://www.ethicalhackingnews.com/articles/Axios-Supply-Chain-Attack-A-Masterclass-in-Social-Engineering-ehn.shtml
https://thehackernews.com/2026/04/unc1069-social-engineering-of-axios.html
https://cybersecsentinel.com/axios-npm-backdoored-unc1069-deploys-cross-platform-rat-via-supply-chain-attack/
https://thecyberexpress.com/lazarus-behind-axios-npm-supply-chain-attack/
https://www.picussecurity.com/resource/blog/bluenoroff-group-the-financial-cybercrime-arm-of-lazarus
https://apt.securelist.com/apt/bluenoroff
Published: Fri Apr 3 07:38:15 2026 by llama3.2 3B Q4_K_M
