Late last month, the NPM package for Axios—a widely used JavaScript HTTP client library downloaded over 100 million times per week—experienced a security incident. A threat actor, identified by researchers as the North Korean state-sponsored group UNC1069, compromised the account of lead maintainer Jason Saayman. This unauthorized access was used to publish two compromised versions (1.14.1 and 0.30.4) containing a malicious dependency, plain-crypto-js, which installed a remote access Trojan (RAT).
The software development community rapidly identified the unauthorized code, and the affected versions were removed from the NPM registry within a few hours.
In a post-mortem published on GitHub, Saayman detailed the sequence of events. The compromise originated from a systematic social engineering campaign that began two weeks prior. Threat actors posed as the founder of a legitimate company, inviting the maintainer to a highly convincing Slack workspace with multiple active channels. From there, the actors scheduled a meeting on Microsoft Teams. Upon joining the spoofed meeting environment, Saayman was prompted to install an update to resolve an apparent technical issue. This file contained the RAT.
The installed RAT provided the threat actors with full, unilateral control over the maintainer's workstation. Security researcher Taylor Monahan noted in the technical analysis that because the RAT captures the post-authentication state of the device, it renders two-factor authentication (2FA) ineffective for preventing the subsequent unauthorized package publication.
This campaign extends beyond a single library. Monahan’s analysis indicates that these specific North Korean threat actors have historically targeted cryptocurrency founders and venture capital executives using similar methods to establish long-term access or deploy credential stealers.
Development security vendor Socket recently published research showing this systematic approach is now targeting the broader open-source software community. Numerous developers and executives, including Socket CEO Feross Aboukhadijeh, reported experiencing the same slow-burn social engineering tactics. The methodology relies on patience—scheduling and rescheduling calls without urgency to disarm the target before deploying the unauthorized executable.
Sarah Kern, principal threat researcher at Sophos, attributes this level of operational maturity to state-sponsored backing. The objective is to secure write access to packages with massive distribution scales. As Aboukhadijeh noted, compromising an open-source maintainer provides a scale of impact that traditional social engineering methods rarely achieve, extending risk to every organization running the affected code.
Several factors contribute to this shift. The ability to generate convincing personas and maintain coherent, long-term conversations has reduced the cost of building trust. Additionally, delivery mechanisms like ClickFix have streamlined the execution phase, while the underlying operational infrastructure has matured significantly, according to Tom Hegel, distinguished threat researcher at SentinelOne. Hegel advises the security community to treat this as a permanent shift in the threat environment.
To protect development environments, organizations using Axios should verify their lockfiles for [email protected], [email protected], or the plain-crypto-js dependency. If found, teams should downgrade to a known safe version (such as 1.14.0), remove the affected dependency, and immediately rotate all secrets and credentials present on the affected machine or CI/CD runner.