The maintainer of the popular npm package Axios has revealed how attackers were able to take over his account and subsequently publish malicious versions. This was a social engineering attack carried out by the North Korean group UNC1069. The compromised versions installed a Remote Access Trojan on victims’ systems.
On March 31, attackers published two compromised versions of Axios via the compromised npm account of the primary maintainer. As described yesterday, those versions quietly installed a cross-platform Remote Access Trojan on macOS, Windows, and Linux via a fake dependency. Axios is an HTTP client library for Node.js and browsers with over 100 million weekly downloads on npmjs.com.
The maintainer has now explained on GitHub exactly how that account fell into the attackers’ hands. “Unfortunately, I fell victim to a fairly well-known (though not to me) social engineering attack, in which a group posed as someone interested in collaborating on open source or something similar. This led to my account being hacked.” No further technical details about the attack have been provided.
UNC1069 active since 2018
According to Google, UNC1069 is responsible for the attack. That group is financially motivated and primarily targets crypto companies, as Google describes in an analysis published in February. The group is reportedly active since 2018. The same report revealed that UNC1069 now also uses AI tools and deepfakes for social engineering attacks, including through fake Zoom meetings and Telegram messages.
The pattern of hijacking maintainer accounts to publish malicious npm packages is not new. In September 2025, the popular packages Chalk and Debug were already compromised following a phishing attack on a maintainer account, as we reported at the time.
Measures taken after the hack
After discovering the hack, the Axios maintainer formatted his systems and reset all accounts. “I have also taken steps to improve my own security habits. From now on, I will be much more suspicious of any requests related to open source.” He also announced that he will start using a FIDO security key.
In 2023, GitHub had already warned about this type of social engineering attack, in which developers are tricked into executing malicious code. Microsoft reiterated that warning a year later. Both companies pointed to the involvement of groups linked to North Korea.