North Korean hackers compromised the popular Axios HTTP client by using sophisticated social engineering to trick a maintainer into installing malware, leading to a malicious npm package update.

Key Points

• North Korean threat actor UNC1069 targeted Axios lead maintainer Jason Saayman via a fake Slack workspace and a fraudulent Microsoft Teams update.
• The attackers injected a malicious dependency, plain-crypto-js, into Axios versions 1.14.1 and 0.30.4, which installed a remote access trojan.
• Malicious versions were available on the npm registry for approximately three hours before being removed by maintainers.
• Google Threat Intelligence Group linked the campaign to UNC1069, noting the use of the WAVESHAPER.V2 malware and infrastructure overlaps.
• Multiple maintainers of high-impact Node.js projects have reported similar social engineering attempts, indicating a coordinated, large-scale campaign against the open-source ecosystem.

Why it Matters

This incident highlights the growing vulnerability of the software supply chain as threat actors increasingly target high-trust open-source maintainers to distribute malware. Because the attackers gained access to authenticated sessions, they effectively bypassed multi-factor authentication, forcing developers to rotate all credentials and keys to ensure system security.