ALL POSTS

Key Findings North Korean threat group UNC1069 is conducting coordinated social engineering campaigns against open source maintainers, particularly those managing Node.js and npm packages Attackers use fake LinkedIn profiles, Slack messages, and spoofed video conferencing platforms to build rapport over weeks before delivering remote access trojans Goal is to compromise maintainer credentials and gain write access to popular packages, allowing injection of malicious code into

Key Findings Google Threat Intelligence Group attributed the Axios npm supply chain attack to UNC1069, a financially motivated North Korean threat group active since at least 2018 Attackers compromised maintainer Jason Saayman's npm account and published two malicious Axios versions (1.14.1 and 0.30.4) within an hour The attack injected a malicious dependency called "plain-crypto-js" that deployed a cross-platform remote access trojan targeting Windows, macOS, and Linux Given