THE North Korean threat actor behind the Axios supply chain attack has been aiming its social engineering campaign at high-profile Node[.]js maintainers, according to Socket reports. The Axios attack occurred on 31 March, when two malicious package versions were published to the NPM registry and were likely installed by over 3 million users.
UNC1069, the North Korean hacking group blamed for the Axios attack, is now using similar social engineering tactics to target multiple Node[.]js maintainers, including Socket CEO Feross Aboukhadijeh and several engineers, as well as other prominent figures such as Wes Todd, Matteo Collina, Scott Motte, and Ulises Gascón. The attackers invited targets to meetings via Slack and then scheduled more via Microsoft Teams, where they guided them to install a fake update that infected their systems with a RAT.
The operation reportedly takes weeks to execute, with attackers building trust and presenting themselves as legitimate contacts before delivering the malware. Google had warned in February that UNC1069 had used the same techniques against DeFi and other targets.