A coordinated social engineering campaign is targeting the engineers who ship the most widely used npm packages. Socket confirmed on April 3 that maintainers behind Fastify, buffer, Lodash, dotenv, Express, and mocha were approached using the same playbook that compromised Axios. The packages they ship see billions of downloads per month from a registry that processes trillions of downloads per year.
The operators are hunting write access to the npm registry itself. Independent security researcher Tay (@tayvano_) traced the activity to UNC1069. Mandiant tracks the group as a financially motivated North Korea-nexus actor, active since at least 2018.
How the playbook works
The attackers impersonate legitimate companies and reach maintainers through Slack invitations, LinkedIn messages, or fake podcast bookings. Victims land in carefully staged Slack workspaces with posts spaced over time to simulate genuine activity. Fake profiles inside the workspaces mimic real prominent open source maintainers. A video call is scheduled days in advance, then rescheduled once or twice. The deliberate slow pacing defeats standard phishing heuristics.
The meeting link arrives via Slack five minutes before the call, never in the calendar invite. In the case of Node.js core collaborator Jean Burellier, the link appeared to point at teams.microsoft.com but redirected to teams.onlivemeet.com.
Inside the fake meeting the victim sees what looks like a video of the interviewer, possibly AI-generated. An "audio failure" prompt appears immediately. The fix is either clicking a link that downloads a malicious AppleScript, or pasting a command into the terminal to "restore audio."
Either action installs a remote access trojan. The RAT establishes persistence, collects system information, and calls home every 60 seconds.
When you have a RAT on your device, it grabs your post-authentication state, making 2FA irrelevant.
— Tay, independent security researcher
The malware can exfiltrate .npmrc tokens, browser session cookies, AWS credentials, keychain contents, and anything else stored on the machine. Publishing a malicious package to npm from that point requires no additional authentication bypass.
The fake meeting interface is built with real SDKs and CSS from Zoom and Microsoft Teams. The call appears in-browser with no application to install, until the audio "fails."
There's A LOT leading up to the call. It's not urgent, pressing, suspicious at all. It's not a one-click, get phished. They'll schedule a call for next week and then reschedule it for the week after. It's crazy disarming.
— Tay
The confirmed targets
Socket has updated its post throughout the weekend. As more maintainers reviewed their email and LinkedIn invites, additional victims surfaced. At least ten high-impact maintainers have now confirmed they were approached by the same operators, alongside Axios maintainer Jason Saayman, who ran the payload.
Feross Aboukhadijeh. Socket CEO, creator of WebTorrent, StandardJS, buffer, and dozens of widely used npm packages with billions of downloads.
Matteo Collina. Co-founder and CTO of Platformatic, Node.js TSC Chair, and lead maintainer of Fastify, Pino, and Undici. His packages see billions of downloads per year. Collina disclosed his close call on X on April 2.
I've just learned more details about the axios hack and… they tried to hack me too! Didn't work, but gosh.
— Matteo Collina, CTO of Platformatic, on X
John-David Dalton. Creator of Lodash, which sees more than 137 million weekly downloads on npm.
Jordan Harband. TC39 member who maintains hundreds of ECMAScript polyfills and shims foundational to the JavaScript ecosystem.
Scott Motte. Creator of dotenv, with more than 114 million weekly downloads. Targeted using the same "Openfort" persona that appears in two other cases below.
Wes Todd. Express TC member and member of the Node Package Maintenance Working Group.
Ulises Gascón. Node.js core collaborator and releaser, Express TC member, Lodash TSC member, and Node.js Security Working Group contributor.
Pelle Wessman. Maintainer of mocha, neostandard, npm-run-all2, and type-fest.
Jean Burellier. Node.js core collaborator and Express contributor.
Tim Perry. Open source maintainer who confirmed on Bluesky on April 5 that he received the same approach.
Damn I got this as well! Just assumed it was spam and ignored this (and the LinkedIn follow up) turns out I dodged a bullet.
— Tim Perry, on Bluesky
Three case studies
Wessman's encounter predates the Axios compromise by a few weeks. He was lured through a fake podcast booking, added to a group with supposed co-interviewees, and given preparatory questions. The video call landed on a spoofed version of Streamyard.
The fake site presented a technically plausible error and prompted him to install a native app. Wessman identified the download as containing an info stealer and refused. The attackers then pushed a curl command in his terminal, went dark, and deleted all conversations. He had also received a LinkedIn invitation from the same operators weeks earlier.
Burellier's case began on March 5 with a LinkedIn message from someone posing as a representative of Openfort. He was invited into two separate Slack workspaces by two different personas. Each placed him in a private channel with no other visible members and pushed toward scheduling a call. He missed the first call on March 23. A second was set for March 27.
Burellier declined the update prompt in the fake meeting and suggested rescheduling. He was removed from both Slack workspaces within minutes. All conversations were deleted.
Saayman, the Axios maintainer who ran the payload, was targeted using the same Openfort persona used against Burellier. He shared additional details with Socket about the Slack workspace constructed against him. It was carefully built with posts spaced over time to simulate genuine company activity, populated with fake profiles that mimicked real prominent open source maintainers.
The first link was from Slack from a seemingly legit company doing guerrilla marketing. Then they wanted me to download/install some software, which was a bit of a smell.
— Matteo Collina, CTO of Platformatic, on X
Collina credited his packed schedule for saving him. He was, in his words, "way too busy for my own good."
UNC1069 and the strategic pivot
The threat actor connection comes from Tay's independent analysis in the Axios post-mortem thread. Tay links the Node.js maintainer targeting to UNC1069. Mandiant tracks UNC1069 as a financially motivated North Korea-nexus group, active since at least 2018.
Mandiant published its UNC1069 report on February 9, 2026. The report documented the group deploying seven distinct macOS malware families against a FinTech entity in the cryptocurrency sector. The families are WAVESHAPER, HYPERCALL, HIDDENCALL, DEEPBREATH, CHROMEPUSH, SUGARLOADER, and SILENCELIFT. Six of the seven were previously unknown to Mandiant.
The intrusion chained three lures together. The attackers used a compromised Telegram account belonging to a cryptocurrency executive to make initial contact. They set up a fake Zoom meeting hosted at zoom.uswe05.us, and pushed a ClickFix lure once the call began.
ClickFix is an attack technique where the threat actor directs the user to run troubleshooting commands on their system. The pretext is a purported technical issue. The lure reportedly included a deepfake video of a crypto CEO. Mandiant could not recover forensic evidence to verify the AI-generated video claim independently.
DEEPBREATH, written in Swift, bypasses macOS Transparency, Consent, and Control. It renames the user's TCC folder via Finder, copies TCC.db to a staging location, injects permissions, and restores the modified database. The result is access to the keychain, Chrome, Brave, Edge, two versions of Telegram, and Apple Notes.
UNC1069's traditional victim set is cryptocurrency companies, DeFi firms, and venture capital targets. Tay's analysis frames the move into npm maintainer targeting as a strategic pivot.
Historically these specific guys have gone after crypto founders, VCs, public people. They social engineer them and take over their accounts and target the next round of people. Why have calls one by one by one to eventually get the one rich dude when you can get 1 million+ dudes at once?
— Tay
Tay added that the Microsoft Teams pivot is recent. Six months ago, the operators did not use Teams at all. Now it is everywhere. New infrastructure designed for Slack huddles appeared in the days before Socket's April 3 post, extending the fake meeting playbook to another platform.
A brutal crash course for open source
Open source just got a brutal crash course. The Node.js community is being force-fed a social engineering curriculum that cryptocurrency security researchers have been writing for years. Most confirmed targets have spent their careers maintaining invisible, ubiquitous packages in relative obscurity. Few imagined they would one day be of interest to a North Korea-linked threat actor.
Perry's reaction captures the pattern. He assumed the approach was spam and ignored it. These maintainers are not crypto exchange executives or venture capitalists accustomed to being targeted. They are engineers whose work runs inside millions of applications without anyone, including themselves, paying it much attention. That invisibility is exactly what makes them valuable to an adversary that has spent years honing this playbook against richer, more obvious targets in Web3.
This campaign is massive and a great reminder that behind your favorite open source dependencies are humans too.
— Ulises Gascón, Node.js core collaborator
This kind of targeted social engineering against individual maintainers is the new normal. It's not a reflection on Jason or the axios team — these campaigns are sophisticated and persistent. We're seeing them across the ecosystem and they're only accelerating.
— Feross Aboukhadijeh, Socket CEO
Why OIDC does not solve this
OIDC-based publishing does not solve this class of attack. It is a meaningful improvement to publishing hygiene, but it does not protect against a fully compromised machine, and treating it as a cure-all leaves maintainers with a false sense of security.
— Wes Todd, Express TC member
A compromised maintainer endpoint gives operators a direct write path into npm packages. Those packages sit at the foundation of CI pipelines, build tools, developer CLIs, and AI toolchains across virtually every technology organisation. The npm registry processes trillions of downloads per year, and the packages named in this campaign sit at the deepest levels.
A malicious version live for a few hours propagates to millions of installs through automated dependency resolution. Socket previously documented this dynamic as the "hidden blast radius" of the Axios compromise.
The crypto playbook has migrated. UNC1069 spent eight years running fake interviews and ClickFix lures against people who knew they were targets. Now they run the same pattern against engineers who ship packages every developer depends on. These engineers never imagined themselves on a North Korean target list. Ten in one weekend is not the ceiling.
Response and what to do
The specific personas and Slack channels used in the attacks are being investigated and taken down, according to Tay. The infrastructure refresh continues. New domains appeared in the days before Socket's roundup, and the operators have started building tooling for Slack huddles in addition to Teams and Zoom.
Maintainers of widely depended-upon packages should treat any unsolicited Slack invitation, podcast booking, or staged video call as suspect. The red flags are specific. Meeting links that arrive minutes before the call. Links that redirect to unfamiliar domains. Audio failures that are fixed only by installing software or pasting commands into a terminal.
Warning
Never install software or paste terminal commands offered as a "fix" during a video call. Audit .npmrc tokens, rotate AWS credentials, and clear browser session state on any machine where a questionable interaction occurred. Two-factor authentication will not help once a RAT is resident on the machine. Report and openly share these approaches with the community rather than staying silent out of embarrassment.
I strongly recommend that the OSS maintainer community takes this very seriously. The specific personas and channels used for this attack are being investigated and taken down. But there are more. So many more. Report them. Talk about them. Share them. Share your stories. Do not be embarrassed. Defend each other from people who call you stupid for 'falling for phishing.' You're not stupid. You are busy, you are trusting, you were tired, your kid was crying, you were curious, whatever. This is also really not your typical phishing.
— Tay
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
