Key Findings

• North Korean threat group UNC1069 is conducting coordinated social engineering campaigns against open source maintainers, particularly those managing Node.js and npm packages

• Attackers use fake LinkedIn profiles, Slack messages, and spoofed video conferencing platforms to build rapport over weeks before delivering remote access trojans

• Goal is to compromise maintainer credentials and gain write access to popular packages, allowing injection of malicious code into millions of user systems

• Recent targets include maintainers of Mocha, Axios, dotenv, and Lodash, as well as Socket CEO and other prominent developers

• Two-factor authentication can be bypassed through deep system access obtained via tools like WAVESHAPER or HYPERCALL

• Supply chain attacks targeting individual maintainers are more efficient than traditional attacks, as compromising one person reaches millions of downstream users

Background

Following the high-profile compromise of the Axios npm package, security researchers at Socket began investigating a broader pattern of attacks on open source maintainers. The investigation revealed a coordinated campaign by UNC1069, a financially motivated group with documented expertise in supply chain attacks. Google has formally attributed the Axios incident to this group, confirming their deep experience with targeting critical infrastructure in the software development ecosystem.

How the Social Engineering Attack Works

The attackers operate with patience and sophistication. They initiate contact through legitimate-looking channels like LinkedIn or Slack, posing as recruiters, podcast hosts, or company representatives using fake company profiles. The process unfolds over weeks rather than days, with multiple reschedules and relationship-building to lower the target's guard.

One documented example involved Jean Burellier, who was contacted on LinkedIn in early March and wasn't invited to a call until March 23rd. The meeting link appeared legitimate but actually redirected to a copycat site mimicking Microsoft Teams. During the call, attackers claim a technical glitch occurred and request the victim download a fix. This file is actually a remote access trojan that grants the attackers complete control over the target's computer.

According to Socket researchers, this disarming approach is intentional. There is no urgency or obvious red flags. The attackers reschedule multiple times and maintain professional communication, making the entire interaction seem routine rather than suspicious.

Specific Targets and Incidents

Pelle Wessman, a maintainer of the popular Mocha testing framework, was tricked into downloading malware through a spoofed Streamyard platform. Matteo Collina, a Node.js core contributor, nearly fell for a Slack message on April 2nd. Other confirmed targets include Scott Motte, creator of dotenv, and John-David Dalton, creator of Lodash.

Even high-profile security professionals were not immune. Socket CEO Feross Aboukhadijeh, creator of WebTorrent and the buffer library, was targeted and noted that this type of attack is becoming the new normal in the open source community.

Why Maintainers Are the Real Target

UNC1069 has shifted strategy from pursuing individual victims to targeting open source maintainers specifically. The group has realized that compromising a single person who manages a widely-used tool provides automatic access to millions of downstream users. By injecting malicious code into official software updates, attackers can distribute compromised versions at scale without creating separate attack campaigns for each end user.

This represents a fundamental shift in supply chain attack strategy, where the maintainer becomes the vulnerability rather than individual users.

The Bypass of Traditional Security Measures

While two-factor authentication is commonly believed to be sufficient protection, researchers have identified that attackers can bypass these security measures entirely through deep system access. Tools like WAVESHAPER and HYPERCALL allow threat actors who have deployed their remote access trojans to circumvent standard authentication protections and maintain persistence even after credential changes.

Recommendations

Open source maintainers should treat any unexpected invitation requiring software installation with extreme caution, even if it appears to come from legitimate contacts. The entire community benefits when developers remain vigilant about suspicious requests, regardless of how professional or disarming they may seem. For general users, keeping systems updated with the latest patches remains critical protection against malware that may have been injected into compromised packages.

Sources

• https://hackread.com/unc1069-node-js-maintainer-fake-linkedin-slack-profile/

• https://news.backbox.org/2026/04/04/unc1069-targets-node-js-maintainers-via-fake-linkedin-slack-profiles/

• https://www.reddit.com/r/InfoSecNews/comments/1scdhd4/unc1069_targets_nodejs_maintainers_via_fake/