North Korean Hackers Target High-Profile Node.js Maintainers

Summary

North Korean threat actor UNC1069, responsible for the Axios supply chain attack in March, has been conducting a sustained social engineering campaign targeting high-profile Node.js maintainers and open-source developers. The attackers use sophisticated, weeks-long infiltration tactics including fake Teams meetings and backdoor installation to compromise maintainers of packages with billions of downloads. The campaign mirrors previous operations targeting DeFi companies and cryptocurrency firms, posing significant risk to the open-source ecosystem.

Full text

The North Korean threat actor blamed for the Axios supply chain attack has been aiming its social engineering campaign at various Node.js maintainers, Socket reports. The Axios attack occurred on March 31, when two malicious package versions were published to the NPM registry. They were removed roughly three hours later, but were likely installed by over 3 million users. In a postmortem, Axios lead maintainer Jason Saayman explained that the hackers had infected his computer with a backdoor roughly two weeks before. The attackers used social engineering tactics previously observed in the DeceptiveDevelopment, Operation Dream Job, Contagious Interview, and ClickFake Interview campaigns. After inviting Saayman to a Slack workspace, the hackers scheduled a meeting on Microsoft Teams. When joining the meeting, the maintainer received an error message and was instructed to install a fake update that infected his system with the RAT. UNC1069, the North Korean hacking group blamed for the Axios supply chain attack, is now using similar social engineering tactics in a campaign targeting multiple high-profile Node.js maintainers.Advertisement. Scroll to continue reading. The attacks were aimed at Socket CEO Feross Aboukhadijeh, several Socket engineers, Node Package Maintenance Working Group member Wes Todd, Platformatic co-founder and CTO Matteo Collina, Dotenv creator Scott Motte, Node.js Security Working Group contributor Ulises Gascón, and others. The targeted individuals, Socket explains, maintain hundreds of NPM packages that have billions of downloads. All reported a similar social engineering attack as Saayman. The campaign was likely mounted over the course of several weeks, with great attention to detail, to make the lures as convincing as possible. The attackers built seemingly legitimate meeting infrastructure and established trust before tricking the intended victims into executing malware. “The operation takes weeks to execute and is deliberately designed to feel unremarkable. Attackers build rapport over time, schedule calls in advance and reschedule them, and conduct themselves with the professionalism of a legitimate business contact,” Socket notes. In February, Google warned that UNC1069 had been using the same tactics in attacks targeting DeFi companies, cryptocurrency entities, and venture capital firms. “I strongly recommend that the OSS maintainer community takes this very seriously. The specific personas and channels used for this attack are being investigated and taken down. But there are more. So many more. Report them. Talk about them. Share them. This is not your typical phishing,” security researcher Tay commented in the Axios postmortem thread. Related: North Korean Hackers Drain $285 Million From Drift in 10 Seconds Related: Polyfill Supply Chain Attack Impacting 100k Sites Linked to North Korea Related: TeamPCP Moves From OSS to AWS Environments Related: New ‘Sandworm_Mode’ Supply Chain Attack Hits NPM Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire North Korean Hackers Drain $285 Million From Drift in 10 SecondsCisco Patches Critical and High-Severity Vulnerabilities250,000 Affected by Data Breach at Nacogdoches Memorial HospitalMercor Hit by LiteLLM Supply Chain AttackSophisticated CrystalX RAT EmergesLinx Security Raises $50 Million for Identity Security and GovernanceDepthfirst Raises $80 Million in Series B FundingNew DeepLoad Malware Dropped in ClickFix Attacks Latest News Guardarian Users Targeted With Malicious Strapi NPM PackagesFortinet Rushes Emergency Fixes for Exploited Zero-DayEuropean Commission Confirms Data Breach Linked to Trivy Supply Chain AttackTrueConf Zero-Day Exploited in Asian Government AttacksIn Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by RansomwareCritical ShareFile Flaws Lead to Unauthenticated RCEMobile Attack Surface Expands as Enterprises Lose ControlReact2Shell Exploited in Large-Scale Credential Harvesting Campaign Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveScott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea.Kai has named Nick Degnan as Chief Revenue Officer.Joe Sullivan has been appointed Strategic Advisor at cloud security firm Upwind.More People On The MoveExpert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — RAT (Remote Access Trojan)

Entities