low

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

April 6, 2026·The Hacker News·Threat Intel
supply-chainnpmsocial-engineeringnorth-koreaunc1069axios

CRITICAL: Popular Axios npm Package Compromised via Targeted Social Engineering Attack

TL;DR: North Korean threat actors (UNC1069) successfully compromised the widely-used Axios npm package through sophisticated social engineering targeting its maintainer. Organizations using Axios should immediately audit their dependencies and implement enhanced supply chain security measures.

What Happened

The maintainer of Axios, one of the most popular HTTP client libraries for JavaScript with over 100 million weekly downloads, has confirmed a supply chain compromise orchestrated by North Korean threat actors tracked as UNC1069. Jason Saayman, the package maintainer, disclosed that attackers conducted a highly-targeted social engineering campaign "specifically tailored to me," according to reporting by The Hacker News.

The attack began with threat actors approaching Saayman while impersonating the founder of what appeared to be a legitimate organization, demonstrating the sophisticated reconnaissance and preparation typical of state-sponsored operations.

Technical Analysis

UNC1069 represents a well-known North Korean threat group that has previously conducted supply chain attacks against open-source ecosystems. Their modus operandi involves extensive target research followed by personalized social engineering campaigns designed to gain the trust of maintainers.

In this case, the attackers likely spent considerable time researching Saayman's professional background, communication patterns, and potential interests to craft a convincing approach. Once they established contact, they would have worked to build rapport over time before requesting actions that ultimately led to the package compromise.

The Axios library is a critical dependency in countless JavaScript applications, making it an extremely high-value target for supply chain attacks. Any malicious code injected into this package would have immediate access to HTTP requests and responses in affected applications.

Impact & Who's Affected

This compromise potentially affects millions of applications worldwide that depend on Axios. Organizations most at risk include:


The scope of potential data exposure includes API keys, authentication tokens, user data, and any information transmitted through HTTP requests handled by Axios.

What You Should Do

Immediate Actions:

1. Audit your dependencies — Check all projects for Axios usage and identify affected versions
2. Review network logs — Examine HTTP traffic patterns for anomalous requests from applications using Axios
3. Rotate credentials — Consider rotating API keys and tokens that may have been exposed
4. Update immediately — Install the latest clean version of Axios once available
5. Implement dependency pinning — Lock specific versions to prevent automatic updates to compromised packages

Medium-term measures:


The Bigger Picture

This attack underscores the persistent threat North Korean APT groups pose to the global software supply chain. UNC1069's success with targeted social engineering highlights a critical vulnerability in open-source security: the human element.

The incident follows a pattern of increasing sophistication in supply chain attacks, where state actors invest significant resources in compromising widely-used packages. Unlike opportunistic attacks, these campaigns demonstrate patience, extensive reconnaissance, and tailored approaches that are difficult to detect using traditional security measures.

Organizations must recognize that supply chain security extends beyond technical controls to include awareness training for open-source maintainers and contributors. The open-source ecosystem's collaborative nature, while a strength, also creates trust relationships that sophisticated attackers can exploit.

This compromise serves as a stark reminder that even the most trusted packages can become attack vectors, reinforcing the need for comprehensive dependency management and zero-trust approaches to third-party code.

← All Threat IntelSource: The Hacker News