How Axios was compromised through social engineering and why it matters

Axios, one of the most widely used JavaScript libraries, recently became part of a serious security incident. Attackers didn’t break in through code vulnerabilities or infrastructure flaws — they used social engineering to gain access and distribute malicious code through the npm ecosystem.

Modern attacks are much harder to detect now. Even when you’re very careful, there’s still a good chance you’ll be targeted.

According to The Hacker News , an organization named UNC1069 (often associated with North Korea) is behind the recent breach. But while the identity of the attacker is interesting, the way in which they breached Axios is really the important story.

UNC1069 chose to target people who have access to the application instead of exploiting technical vulnerabilities. People are much easier to trick than technology.

UNC1069 created a convincing-looking Slack channel that included fake activity. It wasn’t until later that anyone realized something was wrong.

What I find particularly disturbing about this breach is just how much effort UNC1069 put into tailoring their social engineering tactics to the specific individual involved – the Axios maintainer Jason Saayman.

“They approached me under the guise of the founder of a legitimate well-known company”, he said.

They even went as far as cloning the company’s founders’ likeness, and creating a duplicate version of the company.

A short time after being contacted, a fake Microsoft Teams call took place during which a fake technical problem was discussed. The purpose of the call was solely to gain access. The maintainer never suspected a thing and was simply attempting to assist with fixing a minor problem.

As soon as the attackers were able to obtain access to the system, they installed a malicious package. To avoid raising red flags, however, they didn’t install anything on Axios directly; rather, they used a dependency of Axios to distribute the malicious code throughout other applications using that same dependency.

Experienced developers may fall for extremely sophisticated scenarios that look entirely legitimate. While it may seem like carelessness, experience has shown us that these types of attacks continue to become more sophisticated.

It is therefore imperative to develop processes that will prevent a single mistake from resulting in a massive breach.