North Korean Hackers Target Node.js Maintainers in Sophisticated Supply Chain Attack
A North Korean threat group, UNC1069, has been linked to a social engineering campaign targeting high-profile Node.js maintainers, following a supply chain attack on Axios in late March. The attackers published two malicious NPM packages on March 31, which were downloaded by an estimated 3 million users before being removed within three hours.
The breach began when Axios lead maintainer Jason Saayman was infected with a backdoor after falling victim to a fake Microsoft Teams meeting. The attackers, posing as legitimate contacts, lured Saayman into installing a remote access trojan (RAT) under the guise of a required update. This tactic mirrors those used in previous campaigns, including DeceptiveDevelopment, Operation Dream Job, Contagious Interview, and ClickFake Interview.
The same group has since expanded its efforts, targeting multiple Node.js maintainers, including Socket CEO Feross Aboukhadijeh, Wes Todd (Node Package Maintenance Working Group), Matteo Collina (Platformatic), Scott Motte (Dotenv), and Ulises Gascón (Node.js Security Working Group). These individuals oversee hundreds of NPM packages with billions of downloads, making them prime targets for supply chain compromise.
The campaign, executed over several weeks, involved meticulous social engineering attackers built fake meeting infrastructure, established trust, and conducted themselves with professionalism to avoid suspicion. Socket noted that the operation was designed to appear routine, with attackers scheduling and rescheduling calls to blend in with legitimate business interactions.
In February, Google warned that UNC1069 had used similar tactics against DeFi companies, cryptocurrency firms, and venture capital entities. Security researchers have urged the open-source community to remain vigilant, as the group continues to refine its methods.
The Axios attack and subsequent targeting of Node.js maintainers highlight the growing threat of supply chain attacks orchestrated by state-backed actors, with potential for widespread disruption given the scale of the affected packages.
Source: https://www.securityweek.com/north-korean-hackers-target-high-profile-node-js-maintainers/
Node.js cybersecurity rating report: https://www.rankiteo.com/company/nodejs
OpenJS Foundation cybersecurity rating report: https://www.rankiteo.com/company/openjs-foundation
Axios cybersecurity rating report: https://www.rankiteo.com/company/axios-media
"id": "NODOPEAXI1775479086",
"linkid": "nodejs, openjs-foundation, axios-media",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '3 million users (estimated '
'downloads of malicious '
'packages)',
'industry': 'Software Development',
'name': 'Axios',
'type': 'Media/Technology'},
{'customers_affected': 'Billions of downloads (across '
'hundreds of NPM packages)',
'industry': 'Software Development',
'name': 'Node.js maintainers (Socket, Node Package '
'Maintenance Working Group, Platformatic, '
'Dotenv, Node.js Security Working Group)',
'type': 'Open-Source Maintainers'}],
'attack_vector': 'Social Engineering, Malicious NPM Packages, Remote Access '
'Trojan (RAT)',
'date_detected': '2024-03-31',
'description': 'A North Korean threat group, UNC1069, conducted a social '
'engineering campaign targeting high-profile Node.js '
'maintainers following a supply chain attack on Axios in late '
'March. The attackers published two malicious NPM packages on '
'March 31, which were downloaded by an estimated 3 million '
'users before being removed within three hours. The breach '
'began with Axios lead maintainer Jason Saayman being infected '
'with a backdoor after falling victim to a fake Microsoft '
'Teams meeting. The same group expanded its efforts to target '
'multiple Node.js maintainers overseeing hundreds of NPM '
'packages with billions of downloads.',
'impact': {'brand_reputation_impact': 'High (open-source community trust '
'erosion)',
'operational_impact': 'Potential widespread disruption due to '
'compromised packages',
'systems_affected': 'Node.js packages, NPM ecosystem'},
'initial_access_broker': {'backdoors_established': 'Yes (backdoor installed '
"on Axios maintainer's "
'system)',
'entry_point': 'Fake Microsoft Teams meeting, '
'Remote Access Trojan (RAT)',
'high_value_targets': 'Node.js maintainers, DeFi '
'companies, cryptocurrency '
'firms, venture capital '
'entities',
'reconnaissance_period': 'Several weeks'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Open-source maintainers are high-value targets for '
'state-backed threat actors. Social engineering tactics '
'are becoming increasingly sophisticated and professional. '
'Supply chain attacks can have widespread impact due to '
'the scale of package ecosystems.',
'motivation': 'Supply chain compromise, Data exfiltration, Potential '
'widespread disruption',
'post_incident_analysis': {'root_causes': 'Sophisticated social engineering, '
'trust exploitation, lack of '
'multi-factor authentication for '
'maintainers, professionalism of '
'attackers to avoid suspicion'},
'recommendations': 'Enhance vigilance against social engineering, implement '
'multi-factor authentication for maintainers, conduct '
'regular security training, and monitor for suspicious '
'activity in open-source ecosystems.',
'references': [{'source': 'Google Threat Analysis Group'},
{'source': 'Socket Security Research'}],
'response': {'containment_measures': 'Malicious NPM packages removed within '
'three hours'},
'stakeholder_advisories': 'Security researchers have urged the open-source '
'community to remain vigilant due to the ongoing '
'threat.',
'threat_actor': 'UNC1069 (North Korean threat group)',
'title': 'North Korean Hackers Target Node.js Maintainers in Sophisticated '
'Supply Chain Attack',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Trust in open-source maintainers, Fake meeting '
'infrastructure'}