{"id":487,"date":"2026-04-03T13:19:37","date_gmt":"2026-04-03T13:19:37","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=487"},"modified":"2026-04-03T13:19:37","modified_gmt":"2026-04-03T13:19:37","slug":"unc1069-social-engineering-of-axios-maintainer-led-to-npm-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=487","title":{"rendered":"UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Apr 03, 2026<\/span><\/span><span class=\"p-tags\">Threat Intelligence \/ Malware<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhzgZRu55MSbdanW8-1PyCciQIyWUcB9Dv4WhQQEELGJqahN5q7MyrDJKQ77e-9-fNetZJZiaJKERrgMWTGcQ-4TKhzhWE6veQp5w3wxhUnjq3NPMifbpdn1VLYpx5nngu4GsgPknNfAV8CNTGq_L_PBri4s3xz4hp8yt7OPin9Q-Kq_xcBNqzbgHx5SkrU\/s1700-e365\/supplychain.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>The\u00a0maintainer of the Axios npm package has confirmed that the supply chain compromise was the result of a highly-targeted social engineering campaign orchestrated by North Korean threat actors tracked\u00a0as UNC1069.<\/p>\n<p>Maintainer <b>Jason Saayman <\/b>said the attackers tailored their social engineering efforts \u00abspecifically to me\u00bb by first approaching him under the guise of the founder of a legitimate, well-known\u00a0company.<\/p>\n<p>\u00abThey had cloned the company&#8217;s founders&#8217; likeness as well as the company itself,\u00bb\u00a0Saayman <a href=\"https:\/\/github.com\/axios\/axios\/issues\/10636\">said<\/a> in a post-mortem of the incident. \u00abThey then invited me to a real Slack workspace. This\u00a0workspace was branded to the company&#8217;s CI and\u00a0named in a plausible\u00a0manner. The\u00a0Slack [workspace] was thought out very well; they had channels where they were sharing LinkedIn\u00a0posts.\u00bb<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/vpn-risk-report-inside-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgWajeG0cdaapf1GKTZRUZUB7BzuYGegyw5k0eAorJXlmkFdYCCeLXXhXYJuXU9lWD33rV6rRnIyly3czoNfYifpxk1eGA5slItPmim3HkubXoQMgC4J7hdQPywxGbWq7Eqeff_o6s2Fq-WmSFd5guwdLn7IqpveMqULqtVnd-ndnljWYGj45EkMFB7m0qm\/s728-e100\/z-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Subsequently, the threat actors are said to have scheduled a meeting with him on Microsoft Teams. Upon\u00a0joining the fake call, he was presented with a fake error message that\u00a0stated \u00absomething on my system was out of date.\u00bb As soon as the update was triggered, the attack led to the deployment of a remote access\u00a0trojan.<\/p>\n<p>The\u00a0access afforded by the Trojan enabled the attackers to steal the npm account credentials necessary to publish two trojanized versions of the Axios npm package (1.14.1\u00a0and 0.30.4) containing an implant named WAVESHAPER.V2.<\/p>\n<p>\u00abEverything was extremely well coordinated, looked legit, and was\u00a0done in a professional\u00a0manner,\u00bb Saayman\u00a0added.<\/p>\n<p>The\u00a0attack chain described by the project maintainer\u00a0shares extensive\u00a0overlaps with tradecraft associated with UNC1069 and BlueNoroff. Details of the campaign were extensively documented\u00a0by Huntress\u00a0and Kaspersky last year, with the latter tracking it under the moniker GhostCall.<\/p>\n<p>\u00abHistorically, [&#8230;] these specific guys have gone after crypto founders, VCs, public people,\u00bb security researcher Taylor Monahan said.\u00a0\u00abThey <a href=\"https:\/\/fortune.com\/2026\/04\/02\/north-korea-dprk-zoom-phishing-social-engineering-attack-telegram\/\">social\u00a0engineer<\/a> them and take over their accounts and target the next round of people. This\u00a0evolution to targeting [OSS maintainers] is a bit concerning in my\u00a0opinion.\u00bb<\/p>\n<p>As\u00a0preventive steps, Saayman has outlined several changes, including resetting all devices and credentials, setting up immutable releases, adopting OIDC flow for publishing, and updating GitHub Actions to adopt best practices.<\/p>\n<p>The\u00a0findings demonstrate how open-source project maintainers are increasingly becoming the target of sophisticated attacks, effectively allowing threat actors to target downstream users at scale by publishing poisoned versions of highly popular\u00a0packages.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fast-response-not-fast-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgi9mu68zRUz1nCLLKmkAA2aBtNfP_JOTXulZoB6yImso1Onk7oM_LI0kdROu8fq5S5oDyMtd1j50W44Ye_8Sl3zQZiE8A9tmFr6kejGKjGh74uoxluF-RyBq_unDQlzjXZHCqQeuYXBoogda5zf0w-zXd6v0rIM7fEw6TcFf_QGWBu5Mop-djkEaOUa5A\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>With\u00a0Axios attracting nearly 100 million weekly downloads and being used heavily across the JavaScript ecosystem, the blast radius of such a supply chain attack can be massive as it propagates swiftly through direct and transitive dependencies.<\/p>\n<p>\u00abA package as widely used as Axios being compromised shows how difficult it is to reason about exposure in a modern JavaScript environment,\u00bb Socket&#8217;s Ahmad\u00a0Nassri <a href=\"https:\/\/socket.dev\/blog\/hidden-blast-radius-of-the-axios-compromise#Why-the-Blast-Radius-Is-Larger-Than-It-Looks\">said<\/a>. \u00abIt is a property of how dependency resolution in the ecosystem works\u00a0today.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Apr 03, 2026Threat Intelligence \/ Malware The\u00a0maintainer of the Axios npm package has confirmed that the supply chain compromise was the result of a highly-targeted social engineering campaign orchestrated&hellip;<\/p>\n","protected":false},"author":1,"featured_media":488,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[220,980,219,1058,1060,1059,39,1057,218,1005],"class_list":["post-487","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-attack","tag-axios","tag-chain","tag-engineering","tag-led","tag-maintainer","tag-npm","tag-social","tag-supply","tag-unc1069"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/487","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=487"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/487\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/488"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=487"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=487"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=487"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}