North Korean Hackers Used Social Engineering to Compromise Axios npm Package Maintainer

The maintainer of Axios, one of the most widely used JavaScript HTTP client libraries with hundreds of millions of weekly npm downloads, has confirmed that a supply chain compromise of the package was the result of a targeted social engineering campaign orchestrated by North Korean threat actors tracked as UNC1069, The Hacker News reported. Maintainer Jason Saayman said the attackers tailored their approach specifically to him, initially approaching under the guise of a startup founder before escalating the social engineering to gain the access needed to inject malicious code into the package. The North Korean group UNC1069 has been linked to a pattern of developer-targeted attacks designed to compromise widely-used open source packages as a vector into the downstream software supply chain. Axios is included in millions of JavaScript projects and web applications, making it an exceptionally high-value target. A successful injection into the package could propagate malicious code to any application that installs or updates the library, affecting both frontend and backend Node.js environments. The incident follows a series of high-profile npm supply chain attacks and is part of a documented North Korean strategy of targeting software developers and maintainers of popular open source projects. Previous campaigns attributed to DPRK-linked groups have used fake job offers, investment pitches, and technical collaboration requests as initial contact pretexts. Developers using Axios are advised to audit their dependency versions, check package integrity, and monitor their environments for signs of compromise. The affected version details and remediation steps have been published by security researchers tracking the incident.