high

Axios npm hack used fake Teams error fix to hijack maintainer account

April 6, 2026·BleepingComputer·Threat Intel
supply-chainsocial-engineeringnpmnorth-koreaopen-source

Popular Axios Library Targeted in Sophisticated Social Engineering Attack

TL;DR: Maintainers of the widely-used Axios HTTP client library disclosed how North Korean threat actors used a fake Microsoft Teams error message to compromise a developer's account in an attempted supply chain attack. The attack failed, but highlights evolving tactics targeting open-source maintainers.

What Happened

The maintainers of Axios—a JavaScript HTTP client library with over 100 million weekly npm downloads—published a detailed incident report describing a sophisticated social engineering campaign that targeted one of their developers. According to the post-mortem shared by the Axios team, attackers believed to be North Korean threat actors attempted to compromise the project through a carefully crafted deception involving a fake Microsoft Teams error message.

The attack began when a developer received what appeared to be a legitimate Teams error notification, complete with instructions to "fix" the supposed issue. This social engineering tactic represents an evolution from traditional phishing emails toward more contextually relevant workplace communication platforms that developers interact with daily.

Technical Analysis

Social engineering attacks targeting software maintainers have become increasingly sophisticated, particularly those attributed to North Korean Advanced Persistent Threat (APT) groups. These campaigns typically follow a multi-stage approach: initial contact through trusted platforms, building rapport with targets, and eventually delivering malicious payloads or credential harvesting attempts.

The use of Microsoft Teams as the initial attack vector is particularly concerning because it exploits the trust developers place in their daily collaboration tools. Teams notifications often contain technical instructions or troubleshooting steps, making malicious messages less likely to trigger suspicion compared to traditional phishing emails.

While the Axios team hasn't disclosed the complete technical details of the attack mechanism, supply chain attacks targeting npm packages typically aim to inject malicious code into widely-distributed libraries, potentially affecting millions of downstream applications.

Impact & Who's Affected

Although the attack against Axios was unsuccessful, the implications extend far beyond a single library. Axios is integrated into countless JavaScript applications across enterprises, startups, and personal projects worldwide. A successful compromise could have provided attackers with unprecedented access to applications processing sensitive data.

This incident particularly affects:


What You Should Do

For Development Teams:


For Open-Source Maintainers:

For Security Teams:

The Bigger Picture

This attack represents a concerning trend where nation-state actors increasingly target the open-source ecosystem's human element rather than purely technical vulnerabilities. North Korean threat groups have previously demonstrated sophisticated capabilities in targeting cryptocurrency exchanges and software companies, often using prolonged social engineering campaigns.

The incident underscores the critical security challenges facing open-source maintainers, who often operate with limited resources while managing software that powers significant portions of the internet's infrastructure. As reported by BleepingComputer, these targeted campaigns highlight the need for enhanced security support and training for open-source contributors.

Organizations must recognize that their security posture extends beyond their own code to include the human factors affecting their entire software supply chain.

← All Threat IntelSource: BleepingComputer