The maintainer of the Axios npm package has confirmed that the supply chain compromise was the result of a highly-targeted social engineering campaign orchestrated by North Korean threat actors tracked as UNC1069.
Maintainer Jason Saayman said the attackers tailored their social engineering efforts “specifically to me” by first approaching him under the guise of the founder of a legitimate, well-known company.
“They had cloned the company’s founders’ likeness as well as the company itself,” Saayman said in a post-mortem of the incident. “They then invited me to a real Slack workspace. This workspace was branded to the company’s CI and named in a plausible manner. The Slack [workspace] was thought out very well; they had channels where they were sharing LinkedIn posts.”
Subsequently, the threat actors are said to have scheduled a meeting with him on Microsoft Teams. Upon joining the fake call, he was presented with a fake error message that stated “something on my system was out of date.” As soon as the update was triggered, the attack led to the deployment of a remote access trojan.
The access afforded by the trojan enabled the attackers to steal the npm account credentials necessary to publish two trojanized versions of the Axios npm package (1.14.1 and 0.30.4) containing an implant named WAVESHAPER.V2.
“Everything was extremely well coordinated, looked legit, and was done in a professional manner,” Saayman added.
The attack chain described by the project maintainer shares considerable overlaps with tradecraft associated with UNC1069 and BlueNoroff. Details of the campaign were extensively documented by Huntress and Kaspersky last year, with the latter tracking it under the moniker GhostCall.
 |
| Source: Kaspersky |
In these attacks, users are displayed an error message seconds after joining the call, stating that their system is not functioning properly and instructing them to download a malicious Zoom or Teams SDK through a ClickFix-like pop-up message. Depending on the operating system of the victim, this action leads to the execution of an AppleScript (for macOS) or a PowerShell (for Windows) script.
One of the malicious payloads deployed as part of the attack chain is a Nim-based macOS backdoor (or a Go variant written for Windows) called CosmicDoor that delivers a comprehensive stealer suite dubbed SilentSiphon to capture credentials from web browsers and password managers, and secrets associated with GitHub, GitLab, Bitbucket, npm, Yarn, Python pip, RubyGems, Rust argo, and .NET NuGet.
As detailed by Google-owned Mandiant in February 2026, some of these attacks have also have paved the way for the deployment of a C++ malware called WAVESHAPER, which then serves as a conduit for additional downloaders, backdoors, and information stealers like HYPERCALL, SUGARLOADER, HIDDENCALL, SILENCELIFT, and DEEPBREATH, and CHROMEPUSH.
“Historically, […] these specific guys have gone after crypto founders, VCs, public people,” security researcher Taylor Monahan said. “They social engineer them and take over their accounts and target the next round of people. This evolution to targeting [OSS maintainers] is a bit concerning in my opinion.”
As preventive steps, Saayman has outlined several changes, including resetting all devices and credentials, setting up immutable releases, adopting OIDC flow for publishing, and updating GitHub Actions to adopt best practices.
The findings demonstrate how open-source project maintainers are increasingly becoming the target of sophisticated attacks, effectively allowing threat actors to target downstream users at scale by publishing poisoned versions of highly popular packages.
With Axios attracting nearly 100 million weekly downloads and being used heavily across the JavaScript ecosystem, the blast radius of such a supply chain attack can be massive as it propagates swiftly through direct and transitive dependencies.
“A package as widely used as Axios being compromised shows how difficult it is to reason about exposure in a modern JavaScript environment,” Socket’s Ahmad Nassri said. “It is a property of how dependency resolution in the ecosystem works today.”
Axios Attack Part of Broader, Coordinated Campaign
In a follow-up analysis published on Friday, Socket said several maintainers across the Node.js ecosystem come forward to maintainers across the Node.js ecosystem, indicating that high-impact, open-source project maintainers were unsuccessfully targeted as part of what has been described as a coordinated social engineering campaign.
“The attack chain: build rapport over weeks, schedule a video call, fake an audio error, prompt the target to install a ‘fix.'” Socket CEO Feross Aboukhadijeh said. “That fix is a RAT. Once it’s on your machine, they have your .npmrc tokens, browser sessions, AWS creds, andKeychain. 2FA doesn’t matter. OIDC publishing doesn’t matter. Game over.”
Targets included Socket’s own engineers, Jordan Harband, who maintains ECMAScript polyfills and shims, and John-David Dalton, who is the creator of Lodash, a popular JavaScript utility library that offers methods to handle arrays, objects, and other types of data. Also targeted were Matteo Collina, the lead maintainer of Fastify, Pino, and Undici, Scott Motte, the creator of dotenv, and Pelle Wessman, who is a maintainer of mocha, neostandard, npm-run-all2, and type-fest.
While initial contact with Collina was via a Slack message, Wessman was invited to participate in a podcast recording, as part of which he was instructed to join a video call that turned out to be a fake version of the Streamyard live recording platform.
Once the call began, the bogus site displayed a “technically plausible error message” and prompted Wessman to download a native app to resolve it. When Wessman refused to run it, the North Korean threat actors switched tactics and asked him to run a curl command in the Terminal app. Having failed in this effort too, they erased all conversations and went dark.
In another case documented by Jean Burellier, a Node.js core collaborator and contributor to Express, the social engineering effort began with a LinkedIn message from the threat actors, posing as the representative of a company named Openfort. After the initial trust-building exercise, Burellier was invited to join two Slack workspaces. As soon as he joined, he was placed in a private channel with no other visible members and invited to join a fake Microsoft Teams call.
From here, the attack chain mirrors that of what Huntress, Kaspersky, and Google documented, with the fake Teams page displaying a message to update the Teams SDK. When Burellier declined to install the update and suggested rescheduling the call, he was removed from the Slack workspaces, and the conversations were deleted.
“The accounts now span some of the most widely depended-upon packages in the npm registry and Node.js core itself, and together they confirm that Axios was not a one-off target,” the software supply chain security company said. “It was part of a coordinated, scalable attack pattern aimed at high-trust, high-impact open source maintainers.”
(The story was updated after publication on April 4, 2026, to reflect the latest developments.)
