Axios Maintainer's Post Mortem - Social Engineering Attack Explained
Basically, a hacker tricked a developer into installing malware on their computer.
A recent post mortem reveals that the axios maintainer was tricked by UNC1069 into installing malware. This attack underscores the dangers of social engineering in software supply chains. Users must ensure their systems are secure against such threats.
What Happened
On April 3, 2026, Jason Saayman, the lead maintainer of the axios npm package, published a post mortem detailing a supply chain attack carried out by the North Korean threat actor group UNC1069. This widely used HTTP client library, with around 100 million weekly downloads, was compromised when attackers published malicious updates that included a remote access trojan (RAT). The malicious updates were live for approximately three hours before being removed.
Who's Affected
The axios package is used by over 174,000 dependent projects, making this incident particularly concerning for developers and companies relying on it. Users who installed the malicious versions of axios are at risk, as the RAT could provide attackers with unauthorized access to their systems.
How the Attack Unfolded
Saayman revealed that he fell victim to a social engineering campaign about two weeks prior to the attack. The attackers meticulously crafted a scheme that appeared legitimate, even cloning the likeness of a company's founders. They invited Saayman to a seemingly active Slack workspace and later to a Microsoft Teams call. During this call, he was prompted to install what he thought was a Teams update, which turned out to be the RAT.
Tactics & Techniques
The attackers employed a highly coordinated approach, utilizing fake profiles and active channels to build trust. Saayman noted that despite having two-factor authentication (2FA) enabled, they managed to gain access to his npm account. Once inside, they deleted community reports regarding the attack, further complicating the situation.
Defensive Measures
After the attack, axios collaborator Dmitriy Mozgovoy contacted npm staff to remove the malicious updates. Saayman has since implemented several security measures, including the adoption of immutable release practices and trusted publishing with OpenID Connect (OIDC) for future updates. He also reset all devices and credentials associated with his accounts.
What You Should Do
Users of axios are urged to verify that they have not installed any malicious versions. If they suspect they have, they should treat their systems as compromised, remove any malicious components immediately, and rotate sensitive credentials. This incident serves as a reminder of the need for hyper vigilance against social engineering attacks, especially in widely used open-source projects.