North Korean state-linked hackers have expanded their cyber campaign beyond the recent Axios supply chain attack, now targeting prominent Node.js maintainers through highly sophisticated social engineering techniques. According to reports, the attackers—linked to the UNC1069 group—initially compromised the Axios npm package by infecting a maintainer’s system with a backdoor weeks in advance, allowing them to publish malicious versions that were downloaded by millions before being removed within hours. (SecurityWeek)

Following this breach, the same group has reportedly shifted focus to other high-profile developers responsible for widely used npm packages, many of which collectively serve billions of downloads. The attackers impersonate legitimate contacts, build trust over time, and lure victims into fake meetings on platforms like Slack or Microsoft Teams, where they trick them into installing malicious updates that deploy remote access trojans. (SecurityWeek)

Security researchers warn that this campaign is unusually meticulous, often taking weeks to execute and designed to appear routine and professional, making detection difficult. Experts emphasize that the operation highlights a growing threat to the open-source ecosystem, as compromising key maintainers can enable large-scale supply chain attacks with far-reaching consequences across software development environments worldwide. (SecurityWeek)