North Korean hackers at the heart of open source: the attack on Node.js maintainers
Introduction
Open source software underpins much of the digital applications we use every day, often without knowing it. When someone manages to compromise the people who develop and maintain it, the consequences can silently spread to millions of users. That is what happened between March and April 2026, when a group of hackers linked to North Korea targeted some of the most well-known names in the Node.js and npm ecosystem.
What happened
The group, identified by researchers under the name UNC1069 and believed to be linked to North Korea, carried out a series of social engineering attacks against high-profile developers. Social engineering is a technique that does not exploit technical vulnerabilities, but deceives people: in this case, the attackers presented themselves using fake identities, AI-generated videos, and spoofed Slack workspaces to appear as legitimate contacts.
Among the targets were some of the most well-known maintainers in the JavaScript ecosystem: Jason Saayman, who manages the Axios library, Jordan Harband, John-David Dalton (known for Lodash), Matteo Collina (author of Fastify, Pino, and Undici), Scott Motte (creator of dotenv), and engineers from the security company Socket, including Feross Aboukhadijeh. One of the techniques used involved creating a fake identity associated with a supposed company called Openfort, in order to gain the victims’ trust.
In the case of Jason Saayman and the Axios library, the attack had concrete consequences: the package was compromised through the insertion of malicious code, in what is defined as a software supply chain attack. In other cases, the attackers attempted to trick victims into installing information-stealing programs or executing malicious commands on their own computers.
Why it matters
Axios, Lodash, dotenv, and the other libraries involved are tools used by tens or hundreds of millions of software projects worldwide. If a package is modified with hidden code, that code can automatically reach anyone who updates their dependencies — companies, developers, and, indirectly, end users. This campaign represents an evolution of the North Korean strategy, which analysts say is increasingly shifting toward open source maintainers as a privileged point of access.
What companies and users can do
For those working in software development, it is important to always verify the identity of anyone who makes contact through digital channels, especially if actions such as installing software or executing commands are requested. Organizations should adopt software dependency analysis tools to detect anomalous changes in the packages they use. Those who use applications developed by third parties currently have no direct verification tools: they can, however, choose products from vendors that declare supply chain security practices.
Final takeaways
- Software supply chain attacks strike invisibly, propagating through seemingly normal updates.
- Social engineering remains one of the most effective threats: fake identities, AI-generated videos, and spoofed platforms are increasingly sophisticated tools.
- The security of open source also depends on protecting the people who develop it, not just the code.
Sources
https://www.securityweek.com/north-korean-hackers-target-high-profile-node-js-maintainers/
https://socket.dev/blog/attackers-hunting-high-impact-nodejs-maintainers
https://www.nextgov.com/cybersecurity/2026/03/north-korea-linked-hackers-suspected-axios-open-source-hijack-google-analysts-say/412523/
https://thehackernews.com/2026/04/unc1069-social-engineering-of-axios.html
Source: SecurityWeek