THE Axios attack has highlighted the sophistication, scalability and industrialisation of social engineering campaigns, with attackers targeting open source maintainers and their networks. Late last month, the NPM package Axios was compromised in a social engineering attack, with a threat actor believed to be North Korean threat group UNC1069 compromising lead maintainer Jason Saayman’s account and publishing two malicious versions that contained a new malicious dependency hosting a remote access Trojan.
The Axios project, downloaded more than 100 million times per week, was quickly hit by this supply-chain compromise, and a GitHub post-mortem notes the deception began two weeks prior as the lead maintainer was drawn into a convincing Slack workspace and a subsequent Microsoft Teams meeting.
The RAT granted full unilateral control over Saayman’s computer, even though 2FA was enabled for the NPM account, underscoring how the attack extended beyond a single wallet and could affect any organisation running the compromised code. According to Sarah Kern of Sophos, the campaign marks a shift in threat modelling, as open source maintainers become high-value attack surfaces for long-tail, wide-reaching social engineering.