Ever wonder why your code’s safety net feels like Swiss cheese?
North Korean hackers, tracked as UNC1069, just exposed it. They didn’t blast the Axios npm package with brute force. No, they played the long game — social engineering the maintainer himself into handing over the keys.
Jason Saayman, the guy behind Axios, spilled the details in a raw post-mortem. Attackers cloned a legit company’s founder, down to the likeness, then lured him into a fake Slack workspace. Branded just right, with CI channels and LinkedIn shares that screamed authenticity.
Here’s the kicker.
They scheduled a Teams call. He joins — bam, fake error: ‘Update your system.’ Click, and a remote access trojan slips in. Credentials stolen. Two poisoned versions drop: 1.14.1 and 0.30.4, packing WAVESHAPER.V2 spyware.
“Everything was extremely well coordinated, looked legit, and was done in a professional manner,” Saayman added.
Coordinated? Understatement. This mirrors UNC1069’s playbook — overlaps with BlueNoroff tactics Huntress and Kaspersky clocked last year. GhostCall, they called it. Crypto founders, VCs: old targets. Now? Open-source maintainers.
How Did UNC1069 Crack the Axios Maintainer?
Picture this: You’re Jason. Email pings from a founder you respect. Slack invite — real workspace, plausible name. Channels buzzing with posts you’d expect. No red flags waving.
But dig deeper. They tailored it “specifically to me,” Saayman says. Not spray-and-pray phishing. Precision strike.
Teams call seals it. Fake update prompt — classic RAT drop. npm creds nabbed. Publish malicious packages. Axios pulls 100 million weekly downloads. Transitive deps? Chaos multiplier.
Saayman’s fixes? Wipe devices, immutable releases, OIDC for publishing, GitHub Actions lockdown. Smart. But reactive.
And here’s my take — the unique angle Axios’ postmortem glosses over: This isn’t evolution; it’s a throwback to Stuxnet-era supply chain sabotage, but democratized for JavaScript’s wild west. North Korea’s not just stealing crypto anymore. They’re building persistent footholds in dev tools, predicting a wave of OSS maintainer hits as AI agents automate the cloning.
Why Are Open-Source Maintainers the Perfect Mark?
They’re the gatekeepers. Solo warriors — or small teams — for packages millions rely on. No corporate moats. Personal emails, LinkedIn profiles: open books.
UNC1069 knows it. Taylor Monahan nails it: “Historically, […] these specific guys have gone after crypto founders, VCs, public people. They social engineer them and take over their accounts and target the next round of people. This evolution to targeting [OSS maintainers] is a bit concerning in my opinion.”
Concerning? Try terrifying. Axios isn’t niche. It’s everywhere — React apps, Node servers. One tainted release ripples out.
Ahmad Nassri from Socket cuts to the chase: Modern JS dependency hell makes exposure invisible. You pull Axios 1.6? Fine. But that sub-dep? Maybe not.
What Makes npm a Hacker’s Dream?
Short answer: Scale.
Long one? npm’s flat namespace, weekly billions of pulls, transitive madness. No built-in signing for all. Publishers trust credentials over keys — until now.
Saayman’s OIDC shift? Gold standard. But adoption lags. GitHub’s pushing it. npm too. Yet, 2024, and we’re still credential-wrangling.
Look, companies hype ‘secure by design.’ Bull. This attack screams architectural rot: Social engineering bypasses it all because humans publish.
My prediction? UNC1069’s test balloon. Expect copycats — China, Russia — hitting PyPI, Maven next. OSS bounties won’t cut it; we need maintainer collectives, AI vetting for anomalies, mandatory 2FA with hardware everywhere.
But will we get there before the next Axios?
Shift happens underground first.
North Korea’s statecraft — sanctions-dodging via code — funds missiles. UNC1069’s not rogue; it’s DPRK machinery, per Mandiant ties. They evolve fast because failure’s free.
Saayman reset everything. Good. But ecosystem-wide? Socket scans helped yank the bad versions quick. Still, downloads happened. Implants lurking?
Is Your Project Exposed to Axios-Like Attacks?
Check deps. npm audit. But transitive? Tools like Socket, Snyk — layer them.
Unique insight time: This foreshadows ‘maintainer fatigue’ exploits. OSS relies on volunteers burning out. Hackers bet on that exhaustion. Solution? Paid maintainer funds, like Protocol Labs experiments. Corporate OSS dependency without the payroll.
🧬 Related Insights
- Read more: CanisterWorm: Cybercrooks Hijack Iran Tensions for Cloud Data Heists
- Read more: 1,500 WhatsApp Engineers Had Unrestricted Access to User Data, Whistleblower Alleges
Frequently Asked Questions
What caused the Axios npm supply chain attack?
UNC1069 used targeted social engineering: fake Slack from cloned CEO, Teams call with RAT via fake update, stealing maintainer creds.
How do I check if my project got the bad Axios versions?
Run npm ls axios for 1.14.1 or 0.30.4; update to latest, use npm audit. Scan transitives with Socket or GitHub Dependabot.
Will North Korean hackers target more npm packages?
Likely — OSS maintainers are low-hanging fruit for state actors chasing scale. Lock down with OIDC, hardware keys.
