The maintainer of the widely used Axios JavaScript library has confirmed a recent supply chain attack was the result of a sophisticated social engineering campaign conducted by North Korean state-sponsored hackers. The incident, which targeted the npm package registry, underscores the persistent threat posed by advanced persistent threat groups to the open-source software ecosystem.
Maintainer Jason Saayman stated the attackers, tracked by cybersecurity researchers as UNC1069, tailored their approach specifically to him. The campaign began with the threat actors posing as the founder of a legitimate technology company to initiate contact.
Details of the Social Engineering Campaign
According to Saayman, the initial interaction appeared professional and credible. The individuals, using fabricated identities, engaged him in discussions about potential job opportunities and technical collaborations. This established a veneer of trust before they shifted tactics.
The attackers eventually persuaded Saayman to run a malicious script under the guise of a routine software test or development task. This script is believed to have stolen his npm authentication credentials, which the threat actors then used to publish compromised versions of the Axios package.
Impact and Response
Axios is a core HTTP client library used by millions of developers and is included in countless web applications and Node.js projects worldwide. A successful compromise could have led to data theft, further network intrusion, or malware deployment on dependent systems.
Upon discovery, the malicious packages were swiftly removed from the npm registry. Saayman and npm administrators revoked the stolen credentials and took steps to secure the official Axios package. Security advisories were issued to warn the developer community.
Investigations by platform security teams and independent researchers confirmed the attribution to UNC1069, a group known for its financially motivated cyber operations and links to the North Korean regime.
Broader Implications for open source security
This event highlights a critical vulnerability in the open-source supply chain: the reliance on individual maintainers. Many essential projects are managed by a single person or a small, often volunteer, team. These individuals become high-value targets for nation-state actors seeking to inject malicious code into foundational software.
The attack method, social engineering, bypasses technical security measures entirely. It exploits human psychology and trust, making it difficult to defend against with code alone. The highly targeted nature, or “spear-phishing,” demonstrates the level of reconnaissance these groups undertake.
Security experts recommend maintainers enable multi-factor authentication on all publishing accounts, use hardware security keys where possible, and be vigilant about unsolicited professional communications. Organizations using open-source dependencies are advised to implement strict software composition analysis and artifact verification processes.
The npm registry administrators are expected to continue their investigation and may release further technical indicators of compromise. The cybersecurity community anticipates increased scrutiny on maintainer account security and potential updates to npm’s publishing safeguards in response to this incident.
Source: Original maintainer disclosure and security advisories
