North Korean Hackers Target Node.js Maintainers in Sophisticated Supply Chain Attack A North Korean threat group, UNC1069, has been linked to a social engineering campaign targeting high-profile Node.js maintainers, following a supply chain attack on Axios in late March. The attackers published two malicious NPM packages on March 31, which were downloaded by an estimated 3 million users before being removed within three hours. The breach began when Axios lead maintainer Jason Saayman was infected with a backdoor after falling victim to a fake Microsoft Teams meeting. The attackers, posing as legitimate contacts, lured Saayman into installing a remote access trojan (RAT) under the guise of a required update. This tactic mirrors those used in previous campaigns, including DeceptiveDevelopment, Operation Dream Job, Contagious Interview, and ClickFake Interview. The same group has since expanded its efforts, targeting multiple Node.js maintainers, including Socket CEO Feross Aboukhadijeh, Wes Todd (Node Package Maintenance Working Group), Matteo Collina (Platformatic), Scott Motte (Dotenv), and Ulises Gascón (Node.js Security Working Group). These individuals oversee hundreds of NPM packages with billions of downloads, making them prime targets for supply chain compromise. The campaign, executed over several weeks, involved meticulous social engineering attackers built fake meeting infrastructure, established trust, and conducted themselves with professionalism to avoid suspicion. Socket noted that the operation was designed to appear routine, with attackers scheduling and rescheduling calls to blend in with legitimate business interactions. In February, Google warned that UNC1069 had used similar tactics against DeFi companies, cryptocurrency firms, and venture capital entities. Security researchers have urged the open-source community to remain vigilant, as the group continues to refine its methods. The Axios attack and subsequent targeting of Node.js maintainers highlight the growing threat of supply chain attacks orchestrated by state-backed actors, with potential for widespread disruption given the scale of the affected packages.