UNC1069 Targets Node.js Maintainers via Fake LinkedIn, Slack Profiles

Summary

North Korean threat group UNC1069 is conducting a coordinated social engineering campaign against open-source maintainers, particularly those managing Node.js and npm packages. The attackers use fake LinkedIn and Slack profiles, posing as recruiters or podcast hosts, building rapport over weeks before delivering remote access trojans (RATs) disguised as software fixes. The ultimate goal is to steal maintainer credentials and gain write access to push malicious code into widely-used packages, affecting millions of downstream users.

Full text

Security Cyber AttacksUNC1069 Targets Node.js Maintainers via Fake LinkedIn, Slack Profiles North Korean group UNC1069 targets Node.js maintainers using fake LinkedIn and Slack profiles to spread malware and compromise open source packages. byDeeba AhmedApril 4, 20262 minute read A coordinated group of hackers is currently targeting Open Source Maintainers, particularly those managing Node.js and npm, following a high-profile attack on the popular Axios npm package. Security experts at Socket investigated these attacks, identifying that hackers are using social engineering techniques to initiate contact through LinkedIn or Slack, posing as recruiters or podcast hosts under fake company profiles and using fake meeting sites that look exactly like Microsoft Teams or Zoom. How the Trick Works According to Socket’s research, these scammers are very patient, as they spend weeks building rapport before sending the suspicious link. For example, on 5 March 2026, a developer named Jean Burellier was contacted on LinkedIn by someone posing as a representative of Openfort, and wasn’t invited to a call until 23rd March, via a fake link that appeared to be teams.microsoft.com but redirected to a copycat site, teams.onlivemeet.com. During the call, they pretend there is a technical glitch and ask the expert to download a small fix. This file is actually a remote access trojan (RAT), which gives hackers total control over the victim’s computer. The attackers’ ultimate goal is to steal the maintainer’s credentials to gain “write access” to their projects, to push malicious code directly into the official software updates Screenshots via Socket “There’s A LOT leading up to the call. It’s not urgent, pressing, or suspicious at all. It’s not a one-click, get phished. They’ll schedule a call for next week and then reschedule it for the week after. It’s crazy disarming,” Socket’s security researcher Tay (@tayvano_) explained. Key Targets The attackers used a spoofed Streamyard platform to trick Pelle Wessman, a maintainer of Mocha, into downloading a virus. Another expert, Matteo Collina, nearly fell for a Slack message on 2 April, while others like Scott Motte (creator of dotenv) and John-David Dalton (creator of Lodash) were also targeted. They even went after Socket CEO Feross Aboukhadijeh, the creator of WebTorrent and buffer, who noted that this type of targeting is becoming the “new normal.” I (dotenv) was targeted as well. pic.twitter.com/rgFS8vYrUw— Scott Motte (@motdotla) April 3, 2026 I’ve just learned more details about the axios hack and… they tried to hack me too! Didn’t work, but gosh.— Matteo Collina (@matteocollina) April 2, 2026 A New Level of Danger This is a challenging situation because while most of us think two-factor authentication (2FA) is enough, researchers explained that a hacker can bypass these security steps entirely by obtaining deep access using tools like WAVESHAPER or HYPERCALL. Behind this chaos is a financially motivated North Korean group, UNC1069. Google has formally blamed UNC1069 for the recent Axios attack, noting that it is a cluster of hackers with “deep experience with supply chain attacks.” As per Socket’s research, UNC1069 is not chasing individual victims anymore, as they have likely realised that compromising just one person who manages a popular tool allows them to automatically reach millions of users at once. While experts are the targets, it’s the everyday users who end up with the malware. Therefore, maintainers should be wary of any invite requiring software installs, while the rest of us must keep our systems updated to stay safe. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Cyber AttackCybersecurityLinkedInMicrosoft TeamsNode.jsNorth KoreaSlackUNC1069Zoom Leave a Reply Cancel reply View Comments (0) Related Posts Read More Laws & Legalities Privacy Security FBI Accessed Windows Laptops After Microsoft Shared BitLocker Recovery Keys If you are using a Windows PC, your privacy and security are nothing short of a myth, and this incident proves it. byDeeba Ahmed Gaming Malware Security Fallout 4 Pirated Copy Leads To Bitcoin Theft People who download stuff from torrents and other cracked software providing websites have a very bad news because… byAgan Uzunovic Read More Security Cyber Attacks Chinese ‘Smishing Triad’ Group Targets Pakistanis with SMS Phishing Protect yourself from Smishing attacks in Pakistan! Smishing Triad, a notorious cybercriminal group, is targeting Pakistani bank customers with fake Pakistan Post messages. Learn how to identify and avoid these scams to protect your financial information. byWaqas Read More Cyber Attacks Security Black Basta Ransomware Suspected of Exploiting Windows 0-day Before Patch The cybersecurity researchers at Symantec have found "strong evidence" suggesting that the Black Basta ransomware gang exploited a critical Windows vulnerability (CVE-2024-26169) before it was patched by Microsoft on March 12, 2024, through its regular Patch Tuesday updates. byWaqas

Indicators of Compromise

• domain — teams.onlivemeet.com
• malware — WAVESHAPER
• malware — HYPERCALL

Entities