On March 31, 2026, North Korean hackers spent weeks building a fake company—complete with Slack workspace, fake employee profiles, and LinkedIn posts—to trick a single developer into installing malware. The target: Jason Saayman, maintainer of axios, an npm package downloaded 100 million times per week. For three hours, the compromised package distributed WAVESHAPER.V2 malware to tens of thousands of installations worldwide. Google’s Threat Intelligence attributes the attack to UNC1069, a North Korean state-sponsored group financially motivated by cryptocurrency theft. This isn’t a vulnerability in code. It’s a vulnerability in trust.
The Social Engineering Operation
UNC1069 didn’t exploit a zero-day or brute-force credentials. They built a fake company. Saayman’s post-mortem reveals attackers posed as the founder of a legitimate, well-known company, then invited him to “a real Slack workspace” branded with the company’s CI. “They had channels where they were sharing LinkedIn posts,” Saayman wrote. “The Slack workspace was thought out very well.” The campaign was “tailored specifically to me.”
After weeks of trust-building, the attackers invited Saayman to a Microsoft Teams meeting. Upon joining, a fake error message appeared: “something on my system was out of date.” The prompt to download an “update” was actually WAVESHAPER.V2, a remote access trojan that gave attackers full system control. Once installed, they stole his npm credentials and pushed malicious versions of axios—1.14.1 and 0.30.4—with a hidden post-install script that distributed the malware to anyone who ran npm install.
This level of patience and sophistication is unprecedented for open source supply chain attacks. Nation-state actors are now willing to spend weeks engineering trust with solo maintainers of critical infrastructure. If you maintain a popular package, you are a target.
Three Hours, Tens of Thousands Affected
The malicious packages were live for approximately three hours before npm detected and removed them. That’s not much time. But axios gets 100 million downloads per week—roughly 60,000 per hour. Security researchers estimate tens of thousands of npm installs pulled the compromised versions across healthcare, finance, cryptocurrency, and technology sectors. The malware was cross-platform, with separate execution paths for macOS, Windows, and Linux.
WAVESHAPER.V2 is a fully functional RAT written in C++. It extracts system telemetry (hostname, username, OS version, process lists), executes arbitrary shell commands, enumerates file systems, and harvests credentials—including npm tokens. That last capability is critical: attackers could use stolen tokens to compromise additional packages in cascading supply chain attacks. The malware communicates with its C2 server via JSON over HTTP/HTTPS and runs as a background daemon. Total compromise time: approximately 15 seconds from installation.
The blast radius was contained by fast detection, but “tens of thousands” of affected systems is not containment. It’s a warning.
UNC1069: A Pattern, Not an Incident
This wasn’t a one-off attack. UNC1069 has been active since at least 2018, operating under North Korea’s Reconnaissance General Bureau with financial motivations—primarily cryptocurrency theft. In 2026 alone, the group has been linked to over 1,700 malicious packages across npm, PyPI, Go, and Rust repositories. Elliptic attributes the $285 million Drift Protocol exploit in April to UNC1069. Microsoft blocked 164 domains impersonating Teams and Zoom between February and April as part of UNC1069’s fake meeting infrastructure.
More concerning: UNC1069 is now using AI-generated deepfakes for video verification in social engineering campaigns. The axios compromise represents the group’s first known successful takeover of a genuine, widely-used package—a significant escalation. Google’s Threat Intelligence notes that axios maintainers aren’t the only targets. OpenSSF issued an advisory warning that unknown attackers are using similar tactics against other open source developers right now.
What Developers Should Do
If you installed axios 1.14.1 or 0.30.4 on March 31, assume compromise. Run security scans, rotate credentials, and audit your systems for WAVESHAPER.V2 indicators. But the broader lesson requires systemic changes to how we consume open source dependencies.
First, implement release cooldowns. A 7-day delay before installing newly published package versions would have completely blocked this attack—the malicious packages were live for three hours, not seven days. Most supply chain attacks are detected and removed within hours or days. Delaying installation avoids the attack window entirely.
Second, disable lifecycle scripts by default. Use --ignore-scripts or switch to package managers like pnpm that disable post-install scripts by default and require opt-in. The axios malware relied entirely on automatic post-install script execution. If that script doesn’t run, the malware doesn’t execute.
Third, use npm ci instead of npm install in CI/CD. Commit lockfiles to version control and verify integrity. Pin exact versions. npm has improved its authentication by eliminating permanent tokens and requiring faster credential expiration, but discipline around lockfiles prevents unexpected version changes.
Fourth, audit dependencies regularly. Run npm audit, use SCA tools like Socket or Snyk, and monitor for unusual package updates. The open source ecosystem depends on trust, but trust must be verified, not assumed.
For Maintainers: You Are the Target
If you maintain a popular package, understand that nation-state actors have resources to patiently build fake companies, Slack workspaces, and employee identities to compromise you. Be suspicious of unsolicited meeting invitations. Verify identities through official channels, not the Slack workspace they control. Never download “updates” for video calls—legitimate services don’t work that way. Enable 2FA with hardware keys. Consider multi-maintainer governance models so a single compromised account can’t push malicious releases.
This attack succeeded because one developer trusted what appeared to be a legitimate company. The fake Slack workspace, the LinkedIn posts, the weeks of relationship-building—it all looked real because UNC1069 invested weeks making it real. You can’t blame Saayman for falling for it. You should expect more maintainers to face the same tactics.
Key Takeaways
- North Korean hackers (UNC1069) spent weeks building a fake company with Slack workspace and employee profiles to social engineer the axios maintainer, stealing npm credentials and distributing malware for three hours on March 31, 2026
- 100 million weekly downloads meant tens of thousands of installs pulled the compromised versions (1.14.1, 0.30.4), distributing WAVESHAPER.V2 RAT malware capable of full system control and credential theft
- This is part of a broader 2026 campaign: 1,700+ malicious packages, $285M Drift exploit, 164 fake meeting domains, and AI-generated deepfakes for video verification. First successful genuine package takeover
- Defense: Implement 7-day release cooldowns (would have blocked this attack), disable lifecycle scripts, use npm ci with lockfiles, and audit dependencies regularly with SCA tools
- Maintainers are actively targeted now—be suspicious of unsolicited meetings, verify identities through official channels, never download “updates” for calls, and use hardware 2FA keys
