North Korean Hackers Target Node.js Maintainers in Sophisticated Supply Chain Attack A North Korean threat group, UNC1069, has been linked to a social engineering campaign targeting high-profile Node.js maintainers, following a supply chain attack on Axios in late March. The attackers published two malicious NPM packages on March 31, which were downloaded by an estimated 3 million users before being removed within three hours. The breach began when Axios lead maintainer Jason Saayman was infected with a backdoor after falling victim to a fake Microsoft Teams meeting. The attackers, posing as legitimate contacts, lured Saayman into installing a remote access trojan (RAT) under the guise of a required update. This tactic mirrors those used in previous campaigns, including DeceptiveDevelopment, Operation Dream Job, Contagious Interview, and ClickFake Interview. The same group has since expanded its efforts, targeting multiple Node.js maintainers, including Socket CEO Feross Aboukhadijeh, Wes Todd (Node Package Maintenance Working Group), Matteo Collina (Platformatic), Scott Motte (Dotenv), and Ulises Gascón (Node.js Security Working Group). These individuals oversee hundreds of NPM packages with billions of downloads, making them prime targets for supply chain compromise. The campaign, executed over several weeks, involved meticulous social engineering attackers built fake meeting infrastructure, established trust, and conducted themselves with professionalism to avoid suspicion. Socket noted that the operation was designed to appear routine, with attackers scheduling and rescheduling calls to blend in with legitimate business interactions. In February, Google warned that UNC1069 had used similar tactics against DeFi companies, cryptocurrency firms, and venture capital entities. Security researchers have urged the open-source community to remain vigilant, as the group continues to refine its methods. The Axios attack and subsequent targeting of Node.js maintainers highlight the growing threat of supply chain attacks orchestrated by state-backed actors, with potential for widespread disruption given the scale of the affected packages.

North Korean Hackers Target U.S. Firms in Supply-Chain Attack to Fund Nuclear Program A suspected North Korean hacking group compromised a software developer’s account tied to Axios, a widely used tool for connecting applications and web services, in a supply-chain attack aimed at stealing cryptocurrency. The breach occurred on Tuesday morning, when attackers gained control of the developer’s account for three hours, pushing malicious updates to organizations that downloaded the software including cryptocurrency firms, blockchain developers, and tech companies in the crypto sector. Security experts warn the incident is part of a long-term campaign by Pyongyang to siphon digital assets, which are reportedly funneled into funding North Korea’s nuclear and missile programs. Google’s Threat Intelligence Group detected similar activity, attributing the attack to a financially motivated North Korea-linked threat actor. The group’s analysis suggests the breach could lead to further supply-chain attacks, ransomware operations, or additional cryptocurrency theft in the near term. This attack aligns with a broader trend of escalating cybercrime by North Korean operatives. In 2025, hackers from the country stole $2.02 billion in cryptocurrency a 51% increase from the previous year marking the most lucrative period yet for such thefts, according to blockchain analytics firm Chainalysis. The incident underscores the regime’s reliance on cyber heists as a critical revenue stream amid international sanctions.

Malicious npm Packages Target Axios Users in Supply Chain Attack On March 30–31, an attacker compromised the npm account of a lead Axios maintainer (jasonsaayman) and published two trojanized versions of the widely used JavaScript HTTP client library. The malicious releases [email protected] and [email protected] were designed to infect developer machines across macOS, Windows, and Linux with a cross-platform remote access trojan (RAT). The attack leveraged a hidden dependency, [email protected], disguised as the legitimate crypto-js library. Though never referenced in Axios’s source code, the package executed a postinstall script that contacted a command-and-control (C2) server (sfrclak.com), downloaded a platform-specific RAT payload, and then erased all traces of its execution. The malware deployed differently per OS: - macOS: Dropped a binary at /Library/Caches/com.apple.act.mond, mimicking an Apple system process. - Windows: Copied PowerShell to %PROGRAMDATA%\wt.exe and ran a hidden script. - Linux: Installed a Python-based RAT at /tmp/ld.py. The attacker staged the operation over 18 hours, first publishing a clean decoy version of plain-crypto-js at 05:57 UTC on March 30, followed by the malicious version at 23:59 UTC. The compromised Axios account then released the poisoned packages [email protected] at 00:21 UTC and [email protected] at 01:00 UTC on March 31 targeting both modern (1.x) and legacy (0.x) branches within 39 minutes. StepSecurity’s analysis found the malware initiated C2 communication just 1.1 seconds after installation. After execution, the dropper script (setup.js) deleted itself, replaced its package.json with a clean stub, and altered version metadata to evade detection. Forensic inspection of the installed package would show no signs of tampering. The malicious versions remained live for 2–3 hours before npm unpublished them and locked plain-crypto-js. Neither compromised release appears in Axios’s GitHub repository, confirming they were published directly to npm outside the project’s CI/CD pipeline. Security firms including StepSecurity, Snyk, Wiz, and Vercel have warned that any system running the malicious packages should be considered fully compromised, with all credentials rotated immediately. The incident is tracked in GitHub issue axios/axios#10604. Axios is downloaded roughly 100 million times weekly, amplifying the potential impact.

Axios npm Account Hijacked to Distribute Cross-Platform RAT Malware On March 31, 2026, threat actors compromised the npm account of Axios, a widely used JavaScript library with over 100 million weekly downloads, to distribute remote access trojan (RAT) malware across Linux, Windows, and macOS. The supply chain attack was detected by security firms Aikido Security and Socket after malicious versions of Axios (`1.14.1` and `0.30.4`) were published without proper OIDC verification or matching GitHub commits. Attackers likely gained access through the compromised npm account of maintainer Jason Saayman, injecting a malicious dependency (`plain-crypto-js`) that deployed a cross-platform RAT. The malware used obfuscation techniques and a post-install script to execute automatically, downloading a second-stage payload tailored to the victim’s OS. On macOS, researchers confirmed the delivery of a fully functional RAT capable of system reconnaissance, C2 communication, and command execution. To evade detection, the malware deleted its own traces after execution, restoring the package to appear clean. The attack window was brief, but given Axios’ 400 million monthly downloads, the potential impact was significant. Security researchers also identified two additional malicious packages @shadanai/openclaw and @qqbrowser/openclaw-qbot that spread the same malware via hidden dependencies. These packages leveraged automated build pipelines to propagate the infection, demonstrating how a single compromised dependency can rapidly affect downstream projects. Indicators of compromise (IOCs) were provided by Socket and Aikido Security to help detect affected systems. While the attack was contained quickly, organizations using Axios were advised to verify installations for the malicious versions or artifacts.