The Axios HTTP client maintainers have detailed a post-mortem regarding a targeted social engineering campaign orchestrated by North Korean threat actors, specifically tracked as UNC1069. The attackers successfully compromised a maintainer's account to publish malicious versions of the npm package (1.14.1 and 0.30.4), which contained a dependency that installed a remote access trojan (RAT) across Windows, Linux, and macOS systems.
The breach began with a sophisticated impersonation of a legitimate company, involving fake Slack workspaces and staged video calls. During a Microsoft Teams meeting, the maintainer was tricked into installing a fake "update" to resolve a technical error, which instead deployed malware. This allowed the attackers to bypass MFA by hijacking authenticated sessions, highlighting a broader, coordinated effort targeting high-impact open-source maintainers across the Node.js ecosystem.
Top comments (0)