Jason Saayman joined a Teams meeting, screen shared, everything looking sharp.
And poof—North Korean hackers had his machine. This axios supply chain attack wasn’t some script-kiddie phishing email. No, these UNC1069 geniuses (or Sapphire Sleet, take your pick) scripted a full-blown corporate mirage to social-engineer the lead maintainer.
They cloned a real company. Founder’s LinkedIn? Check. Slack workspace buzzing with fake team chatter? Double check. Channels posting the legit company’s updates, profiles mimicking other OSS maintainers for that extra social lube. Weeks of buildup, then the kill shot: a Teams huddle where Saayman’s system “flags an outdated component.” He installs. Boom. RAT.
“Everything was extremely well co-ordinated, looked legit and was done in a professional manner,” Saayman wrote in the post-mortem.
“Everything was extremely well co-ordinated, looked legit and was done in a professional manner.”
It’s like Ocean’s Eleven, but the vault’s an npm account and the loot’s your CI pipeline.
The Con That Should’ve Been a Red Flag
Look, we’ve seen social engineering before. But this? Fake Slack with branded emojis, “team members” liking posts—this is next-level theater. Saayman got the invite posing as a company founder. Trust built over chats. Then the meeting with multiple “attendees.” Dry humor here: if it walks like a duck, quacks like a duck, and has a Proton Mail fallback, it’s probably Lazarus Group cosplaying as tech bros.
Meanwhile, voxpelli dodged a bullet weeks earlier. Same playbook: podcast invite, group chat hype, fake site pushing a shady macOS app. He said no to the curl pipe. They ghosted, nuked chats. “It’s creepy how they target you,” he noted. Creepy? Try state-sponsored persistence.
The malware? [email protected] drops setup.js via postinstall hook. Obfuscated nonsense—reversed Base64, XOR with OrDeR_7077 key. Spawns platform hell: macOS C++ daemon in Library/Caches, Windows PowerShell renamed to wt.exe via VBS, Linux Python in /tmp. All phoning home to sfrclak[.]com every minute. Then self-cleans. Neat freak hackers.
Why Did 2FA Crumble Like a Cookie?
Saayman had it enabled. Useless. RAT keystrokes everything—your TOTP app included. They swapped his npm email to [email protected], grabbed a classic token, published 1.14.1 and 0.30.4. No CI pipeline. No OIDC provenance. Axios had Trusted Publishing since 2023; legit releases screamed it. These? Silent fakes.
npm’s sin? No enforcement. You can’t mandate “CI-only publishes.” Strictest mode still allows local npm publish with browser 2FA—which a RAT screenscrapes. Shaanmajid nailed it: contributor mitigations stop short.
Here’s my unique spit-take: this echoes the 1994 Kevin Mitnick hacks, where he’d mirror company phone trees to phish creds. Back then, no Slack. Today? Same con, turbocharged with AI fakes (voxpelli suspects it). Bold prediction: by 2027, nation-states like DPRK will automate 80% of maintainer cons via LLM personas. Open source becomes espionage playground.
Six minutes. Socket scanner pings the poison. Three hours live—millions of weekly axios pulls at risk. Pipelines yanked it, but damage? Unknown. Google’s Mandiant tags UNC1069; Microsoft’s Sapphire Sleet. North Korea’s been at this since 2018 WAVESHAPER.
Is Open Source’s Security Model a Joke?
npm gaps scream for fixes. Enforce OIDC at registry level. Provenance checks mandatory. But maintainers? Solo warriors against APTs. Axios post-mortem’s gold—release rotation, machine hardening—but it’s whack-a-mole.
Corporate hype alert: Socket and pals crow about scanners. Sure, they flagged it fast. But prevention? Nah. Registries pat themselves on backs while hackers laugh. npm won’t reject non-CI? That’s not a feature; it’s a lawsuit waiting.
And developers? Blind installs. “But it’s axios!” Wake up. Verify sigs, attestations. Or enjoy your RCE cocktail.
Picture every OSS project as a velvet rope club. Hackers just VIP’d past security with forged invites. Time to bolt the doors—or at least check IDs.
Why Does This Matter for Every Developer?
You’re next. Not if—when. North Korea’s not stopping; they’re iterating. Fake GitHub stars? AI video calls? It’s coming. Unique insight: treat maintainer outreach like spam email. Zero trust. Verify offline.
npm’s fixing? Rumors of OIDC mandates. Good. But retrofitting trust? Painful. Bold call: OSS funds need bounties for social-eng defenses, not just code bugs.
Saayman’s machine? Nuked, rotated keys. Smart. But the scar: trust in wild west publishing? Gone.
Dry laugh: open source, free as in beer—and apparently, free as in ‘free RAT installs.’
🧬 Related Insights
- Read more: Escape the Framework Trap: Master the Engine-Adapter Pattern for Truly Adoptable Open-Source Tools
- Read more: Claude’s New MCP Server Knows Your Usage Habits Better Than You Do
Frequently Asked Questions
What happened in the axios supply chain attack?
North Korean hackers faked a company, tricked maintainer Jason Saayman into RAT via Teams “update,” published malware to npm versions 1.14.1/0.30.4. Lived 3 hours, hit unknown installs from 100M weekly pulls.
How did hackers bypass 2FA on npm?
RAT controlled the machine fully—read TOTP, swapped email, used tokens. Software 2FA fails post-compromise.
Is axios safe now and can npm prevent this?
Axios rotated everything; scan before install. npm needs CI-only enforcement—it’s possible but not default yet.
