ON 3 April 2026, The Axios npm package maintainer Jason Saayman confirmed that the supply chain compromise came from a highly targeted social engineering campaign attributed to North Korean threat actors tracked as UNC1069. Saayman said the attackers tailored their approach “specifically to me,” first approaching him as the founder of a legitimate, well-known company, cloning the founders’ likeness and the company itself.
He described being invited to a real Slack workspace branded to the company and joining a convincing, well-planned environment, followed by a scheduled Microsoft Teams meeting where a fake update prompt led to the deployment of a remote access trojan. This trojan granted access to steal npm account credentials and publish two trojanised Axios versions, 1.14.1 and 0.30.4, containing an implant named WAVESHAPER.V2.
The incident aligns with tradecraft associated with UNC1069 and BlueNoroff, and highlights how open-source maintainers can become vectors for downstream compromises given Axios’ near 100 million weekly downloads. Saayman recommends protective steps such as resetting credentials, immutable releases, and adopting OIDC flow for publishing.