The maintainer of the Axios npm bundle has confirmed that the provision chain compromise was the results of a highly-targeted social engineering marketing campaign orchestrated by North Korean risk actors tracked as UNC1069.
Maintainer Jason Saayman mentioned the attackers tailor-made their social engineering efforts “specifically to me” by first approaching him beneath the guise of the founding father of a professional, well-known firm.
“They had cloned the company’s founders’ likeness as well as the company itself,” Saayman mentioned in a autopsy of the incident. “They then invited me to a real Slack workspace. This workspace was branded to the company’s CI and named in a plausible manner. The Slack [workspace] was thought out very well; they had channels where they were sharing LinkedIn posts.”
Subsequently, the risk actors are mentioned to have scheduled a gathering with him on Microsoft Groups. Upon becoming a member of the pretend name, he was offered with a pretend error message that said “something on my system was out of date.” As quickly because the replace was triggered, the assault led to the deployment of a distant entry trojan.
The entry afforded by the trojan enabled the attackers to steal the npm account credentials essential to publish two trojanized variations of the Axios npm bundle (1.14.1 and 0.30.4) containing an implant named WAVESHAPER.V2.
“Everything was extremely well coordinated, looked legit, and was done in a professional manner,” Saayman added.
The assault chain described by the venture maintainer shares appreciable overlaps with tradecraft related to UNC1069 and BlueNoroff. Particulars of the marketing campaign had been extensively documented by Huntress and Kaspersky final yr, with the latter monitoring it beneath the moniker GhostCall.
 |
| Supply: Kaspersky |
In these assaults, customers are displayed an error message seconds after becoming a member of the decision, stating that their system just isn’t functioning correctly and instructing them to obtain a malicious Zoom or Groups SDK by a ClickFix-like pop-up message. Relying on the working system of the sufferer, this motion results in the execution of an AppleScript (for macOS) or a PowerShell (for Home windows) script.
One of the malicious payloads deployed as a part of the assault chain is a Nim-based macOS backdoor (or a Go variant written for Home windows) referred to as CosmicDoor that delivers a complete stealer suite dubbed SilentSiphon to seize credentials from internet browsers and password managers, and secrets and techniques related to GitHub, GitLab, Bitbucket, npm, Yarn, Python pip, RubyGems, Rust argo, and .NET NuGet.
As detailed by Google-owned Mandiant in February 2026, a few of these assaults have even have paved the way in which for the deployment of a C++ malware referred to as WAVESHAPER, which then serves as a conduit for extra downloaders, backdoors, and knowledge stealers like HYPERCALL, SUGARLOADER, HIDDENCALL, SILENCELIFT, and DEEPBREATH, and CHROMEPUSH.
“Historically, […] these specific guys have gone after crypto founders, VCs, public people,” safety researcher Taylor Monahan mentioned. “They social engineer them and take over their accounts and target the next round of people. This evolution to targeting [OSS maintainers] is a bit concerning in my opinion.”
As preventive steps, Saayman has outlined a number of modifications, together with resetting all units and credentials, establishing immutable releases, adopting OIDC circulation for publishing, and updating GitHub Actions to undertake finest practices.
The findings display how open-source venture maintainers are more and more turning into the goal of refined assaults, successfully permitting risk actors to focus on downstream customers at scale by publishing poisoned variations of extremely in style packages.
With Axios attracting almost 100 million weekly downloads and getting used closely throughout the JavaScript ecosystem, the blast radius of such a provide chain assault could be large because it propagates swiftly by direct and transitive dependencies.
“A package as widely used as Axios being compromised shows how difficult it is to reason about exposure in a modern JavaScript environment,” Socket’s Ahmad Nassri mentioned. “It is a property of how dependency resolution in the ecosystem works today.”
Axios Assault A part of Broader, Coordinated Marketing campaign
In a follow-up evaluation revealed on Friday, Socket mentioned a number of maintainers throughout the Node.js ecosystem come ahead to maintainers throughout the Node.js ecosystem, indicating that high-impact, open-source venture maintainers had been unsuccessfully focused as a part of what has been described as a coordinated social engineering marketing campaign.
“The attack chain: build rapport over weeks, schedule a video call, fake an audio error, prompt the target to install a ‘fix.'” Socket CEO Feross Aboukhadijeh mentioned. “That fix is a RAT. Once it’s on your machine, they have your .npmrc tokens, browser sessions, AWS creds, andKeychain. 2FA doesn’t matter. OIDC publishing doesn’t matter. Game over.”
Targets included Socket’s personal engineers, Jordan Harband, who maintains ECMAScript polyfills and shims, and John-David Dalton, who’s the creator of Lodash, a well-liked JavaScript utility library that gives strategies to deal with arrays, objects, and different kinds of information. Additionally focused had been Matteo Collina, the lead maintainer of Fastify, Pino, and Undici, Scott Motte, the creator of dotenv, and Pelle Wessman, who’s a maintainer of mocha, neostandard, npm-run-all2, and type-fest.
Whereas preliminary contact with Collina was through a Slack message, Wessman was invited to take part in a podcast recording, as a part of which he was instructed to hitch a video name that turned out to be a pretend model of the Streamyard stay recording platform.
As soon as the decision started, the bogus website displayed a “technically plausible error message” and prompted Wessman to obtain a local app to resolve it. When Wessman refused to run it, the North Korean risk actors switched techniques and requested him to run a curl command within the Terminal app. Having failed on this effort too, they erased all conversations and went darkish.
In one other case documented by Jean Burellier, a Node.js core collaborator and contributor to Specific, the social engineering effort started with a LinkedIn message from the risk actors, posing because the consultant of an organization named Openfort. After the preliminary trust-building train, Burellier was invited to hitch two Slack workspaces. As quickly as he joined, he was positioned in a personal channel with no different seen members and invited to hitch a pretend Microsoft Groups name.
From right here, the assault chain mirrors that of what Huntress, Kaspersky, and Google documented, with the pretend Groups web page displaying a message to replace the Groups SDK. When Burellier declined to put in the replace and instructed rescheduling the decision, he was faraway from the Slack workspaces, and the conversations had been deleted.
“The accounts now span some of the most widely depended-upon packages in the npm registry and Node.js core itself, and together they confirm that Axios was not a one-off target,” the software program provide chain safety firm mentioned. “It was part of a coordinated, scalable attack pattern aimed at high-trust, high-impact open source maintainers.”
(The story was up to date after publication on April 4, 2026, to mirror the most recent developments.)
