Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign

Since we published our initial analysis of the axios compromise, a deep dive into its hidden blast radius, and a report on the maintainer confirming it was social engineering, maintainers across the Node.js ecosystem have come out of the woodwork to report that they were targeted by the same social engineering campaign. The accounts now span some of the most widely depended-upon packages in the npm registry and Node.js core itself, and together they confirm that axios was not a one-off target. It was part of a coordinated, scalable attack pattern aimed at high-trust, high-impact open source maintainers.

High-Impact Node.js Maintainers Confirm They Were Targeted#

Attackers also targeted several Socket engineers, including CEO Feross Aboukhadijeh. Feross is the creator of WebTorrent, StandardJS, buffer, and dozens of widely used npm packages with billions of downloads. Commenting on the axios post-mortem thread, he noted that this type of targeting is no longer unusual:

"This kind of targeted social engineering against individual maintainers is the new normal," he said. "It's not a reflection on Jason or the axios team — these campaigns are sophisticated and persistent. We're seeing them across the ecosystem and they're only accelerating."

Jordan Harband, John-David Dalton, and other Socket engineers also confirmed they were targeted. Harband, a TC39 member, maintains hundreds of ECMAScript polyfills and shims that are foundational to the JavaScript ecosystem. Dalton is the creator of Lodash, which sees more than 137 million weekly downloads on npm. Between them, the packages they maintain are downloaded billions of times each month.

Wes Todd, an Express TC member and member of the Node Package Maintenance Working Group, also confirmed he was targeted.

Matteo Collina, co-founder and CTO of Platformatic, Node.js Technical Steering Committee Chair, and lead maintainer of Fastify, Pino, and Undici, disclosed on April 2 that he was also targeted. His packages also see billion downloads per year. "I've just learned more details about the axios hack and… they tried to hack me too! Didn't work, but gosh," he wrote on X.

Collina described the initial contact as a Slack message from what appeared to be a legitimate company doing outreach.

"The first link was from Slack from a seemingly legit company doing guerrilla marketing, he said. "Then they wanted me to download/install some software, which was a bit of a smell." He credited his packed schedule for saving him: he was, in his words, "way too busy for my own good."

Scott Motte, creator of dotenv, the package used by virtually every Node.js project that handles environment variables, with more than 114 million weekly downloads, also confirmed he was targeted using the same Openfort persona.

Julian Gruber, a maintainer of several widely used Node.js utilities, reported receiving multiple Slack invites on March 10 and 11 from an account impersonating Openfort co-founder Joan Alavedra, suggesting the campaign was already underway weeks before the Axios compromise surfaced.

Ulises Gascón, a Node.js core collaborator and releaser, Express TC member, Lodash TSC member, and Node.js Security Working Group contributor, also confirmed he was targeted.

"This campaign is massive and a great reminder that behind your favorite open source dependencies are humans too," he said on X.

Pelle Wessman, a maintainer of mocha, neostandard, npm-run-all2, and type-fest, described a nearly identical scenario he experienced a few weeks before the axios compromise. He was invited to participate in a podcast recording, added to a group with other supposed interviewees, given preparatory questions, and then brought to a scheduled video call on what turned out to be a spoofed version of a real streaming platform. When the call began, the fake site presented a technically plausible error message and prompted him to install a native app to resolve it. Wessman identified the downloaded app as containing an info stealer, and did not run it.

He documented the playbook in detail on LinkedIn:

When Wessman refused to run the app, the attackers made a last-ditch attempt to get him to run a curl command in his terminal, then went dark and deleted all conversations.

"This error I got is a technically quite sensible error message (though UX wise it was weird that it blocked much of the chat, kind of made it hard for the social engineers to do their social engineering)," he said.

He also shared that the app he downloaded (from the faked version of Streamyard ) was verified to contain malware.

Wessman also received a LinkedIn invitation from the campaign's operators, spaced weeks apart from the Slack invitations:

Jean Burellier, a Node.js core collaborator and contributor to Express, shared a detailed account of the campaign against him. It began on March 5 with a LinkedIn message from someone posing as a representative of Openfort. After exchanging messages, he was invited into two separate Slack workspaces by two different personas. When he joined, he was placed in a private channel with no other visible members and immediately pushed toward scheduling a call.

The first call, on March 23, he missed. A second was set for March 27. The meeting link was withheld from the calendar invite and sent over Slack just five minutes before the call. It appeared to go to teams.microsoft.com but redirected to a spoofed domain, teams.onlivemeet.com. Once in the fake meeting, Burellier was shown what appeared to be a video of his interviewer. He was unsure whether it was a real person or AI-generated, and within seconds was prompted with an update notice. He declined, saying he would not install anything, and suggested rescheduling. Within minutes he was removed from both Slack workspaces and all conversations were deleted.

Axios maintainer Jason Saayman has since shared additional details with Socket about the Slack workspace used against him: it was carefully constructed with spaced-out posts timed to simulate genuine company activity, and fake profiles that mimicked real, prominent open source maintainers. Notably, he was targeted using the same Openfort persona used against Burellier.

Impersonation Extends the Campaign#

Openfort co-founder Joan Alavedra recently disclosed a multi-week incident in which attackers used his identity and company branding to contact developers across LinkedIn and Slack. They created convincing Slack workspaces, spoofed domains, and used lookalike email and messaging accounts to invite targets into conversations that appeared legitimate. While Alavedra himself was not the target of a supply chain compromise, his identity was used to establish credibility, a critical step in luring maintainers into the same staged environments used in the Axios attack.

How the Attack Works#

The axios post-mortem thread drew a detailed technical breakdown from security researcher Tay (@tayvano_), who has tracked these campaigns as they have evolved across the cryptocurrency sector. Her analysis connects the Node.js maintainer targeting to documented DPRK-nexus threat actors, specifically the group Mandiant tracks as UNC1069.

The operation takes weeks to execute and is deliberately designed to feel unremarkable. Attackers build rapport over time, schedule calls in advance and reschedule them, and conduct themselves with the professionalism of a legitimate business contact.

"There's A LOT leading up to the call," Tay wrote. "It's not urgent, pressing, suspicious at all. It's not a one-click, get phished. They'll schedule a call for next week and then reschedule it for the week after. It's crazy disarming."

The fake meeting infrastructure is built to look genuine. Attackers use real SDKs and CSS from platforms like Zoom and Microsoft Teams to recreate the interface. The call appears in-browser, with no application to install, until the audio "fails." At that point, the victim is prompted to fix the issue, either by clicking a link that downloads a malicious AppleScript or by running a command pasted into the terminal. That action installs a remote access trojan that establishes persistence, collects system information, and calls home every 60 seconds awaiting further instructions.

As Tay explains, 2FA provides no protection at this stage. "When you have a RAT on your device, it grabs your post-authentication state, making 2FA irrelevant." The malware can exfiltrate .npmrc tokens, browser session cookies, AWS credentials, keychain contents, and anything else stored on the machine. With that access, publishing a malicious package to npm requires no additional authentication bypass.

"It is also worth noting that OIDC-based publishing does not solve this class of attack," Wes Todd warned. "It is a meaningful improvement to publishing hygiene, but it does not protect against a fully compromised machine, and treating it as a cure-all leaves maintainers with a false sense of security."

A Known Playbook, Now Pointed at Open Source#

Mandiant's February 2026 report on UNC1069 documented this exact approach being used against cryptocurrency companies, DeFi firms, and venture capital targets. The group has been active since at least 2018, and has increasingly incorporated AI-generated video to impersonate executives during calls. Their tooling, including the WAVESHAPER backdoor, HYPERCALL downloader, DEEPBREATH data miner, and CHROMEPUSH browser extension stealer, was designed for deep, persistent compromise of individual machines.

Targeting open source maintainers is a strategic pivot. "Why have calls one by one by one to eventually get the one rich dude when you can get 1 million+ dudes at once?" Tay said.

A malicious version that stays live for even a few hours can reach millions of installs through automated dependency resolution.

The attackers are also iterating quickly. Tay noted new infrastructure appearing this week that appears designed for Slack huddles, extending the fake meeting playbook to another platform.

"They didn't use MS Teams at all 6 months ago," she said. "Now it's all we see."

Write Access to npm Is the Prize#

The npm registry processes trillions of downloads a year. It is the substrate on which modern software is built, not just JavaScript applications, but the CI pipelines, build tools, developer CLIs, and AI toolchains that run across virtually every technology organization in the world. The packages named in this campaign sit at the deepest levels of that infrastructure. A compromised maintainer account is a direct write path to npm.

In previous years, these campaigns have traditionally targeted individuals for access in order to drain cryptocurrency wallets.

"Historically (for fucking YEARS now) these specific guys have gone after crypto founders, VCs, public people," Tay said. "They social engineer them and take over their accounts and target the next round of people. Sometimes they will take accounts of folks who go to a lot of conferences and meet a lot of people, even if they aren't rich.They do this bc it will increase the likelihood of them getting a rich victim next time."

The npm ecosystem gives attackers a different kind of access: write permissions to packages that sit inside the software supply chains of companies worldwide.

Tay posted a direct warning to maintainers in the axios post-mortem thread:

I strongly recommend that the OSS maintainer community takes this very seriously. The specific personas and channels used for this attack are being investigated and taken down. But there are more. So many more. Report them. Talk about them. Share them. Share your stories. Do not be embarrassed. Defend each other from people who call you stupid for 'falling for phishing.' You're not stupid. You are busy, you are trusting, you were tired, your kid was crying, you were curious, whatever. This is also really not your typical phishing.

It's important for the broader community to understand that the compromise of one maintainer's machine is not just an attack on that maintainer. It is an attack on every project that depends on what they publish, and will have cascading effects across the millions of applications and services that depend on those packages without ever knowing it.