Axios Attack Shows Social Complex Engineering Is Industrialized

THREAT INTELLIGENCE DATA PRIVACY IDENTITY & ACCESS MANAGEMENT SECURITY CYBER RISK NEWS Axios Attack Shows Social Complex Engineering Is Industrialized The attack on the popular NPM package Axios is just one of many targeting maintainers and has shone a light on how threat actors can scale sophisticated social engineering campaigns. Alexander Culafi,Senior News Writer,Dark Reading April 6, 2026 4 Min Read SOURCE: ARTERRA PICTURE LIBRARY VIA ALAMY STOCK PHOTO The Axios attack has highlighted the sophistication, scalability, and industrialization of social engineering attacks.  Late last month, the NPM package of Axios, an extremely popular JavaScript HTTP client library, was compromised in a social engineering attack. A threat actor, believed to be North Korean threat group UNC1069, compromised lead maintainer Jason Saayman's account. The actor then published two malicious versions to NPM, which each contained a new malicious dependency containing a remote access Trojan (RAT), which would infect developers unfortunate enough to install the malicious updates.  The software development community jumped on the attack quickly and malicious versions were removed within a few hours, but Axios is downloaded more than 100 million times per week.  In a post-mortem on GitHub, Saayman wrote that the lead maintainer was deceived in a social engineering campaign that began two weeks prior to the attack, and the Axios team was in the process of investigating exactly how the compromise occurred.  Related:Blast Radius of TeamPCP Attacks Expands Amid Hacker Infighting The maintainer said threat actors reached out as the founder of a company, cloning the founder's likeness as well as the company. The attackers invited Saayman to a real Slack Workspace, which had multiple active channels and was "super convincing." The maintainer was then invited to a meeting to connect on Microsoft Teams, and when he joined, he was prompted to install a missing file, as their system was "out of date." When Saayman installed the missing item, it was revealed to be the RAT that was spread through the NPM package.  One additional detail the maintainer noted was that the RAT provided full "unilateral" control over their computer, even though two-factor authentication (2FA) was enabled for his NPM account.  Not Just Axios The threat campaign that led to Axios' compromise seemingly also targeted a wide range of users and executives. Security researcher Taylor Monahan (@tayvano) posted a detailed technical breakdown of the social engineering campaign in the post-mortem thread as well. She wrote that the attackers spend a lot of time leading up to the call where the target is compromised. There's no urgency, no one-click phish, calls get rescheduled, and so on; it's a tool to disarm the target. Monahan posited that these specific North Korean actors for years have targeted cryptocurrency founders, venture capital executives, and public people with social engineering attacks to get what they want. Sometimes it's an info or cryptocurrency stealer. Sometimes it's long-term access, or to install keyloggers. The researcher emphasized that once the attackers are in, things like 2FA no longer matter.  Related:Iran Deploys 'Pseudo-Ransomware,' Revives Pay2Key Operations Development security vendor Socket published research detailing this extensive campaign late last week observing that many members of the open source software community have been targeted to date; that includes a number of Socket engineers as well as the company's CEO, Feross Aboukhadijeh, who has created or participated in the development of dozens of widely used NPM packages. Plenty of other developers and tech executives were targeted by the same playbook of slow-burn social engineering attacks.  These are people with direct access to software packages that are downloaded millions of times each week. If an attacker can compromise even a handful of people with that kind of critical access, it's easy to see how the Axios breach might not remain an isolated incident, especially considering Shai-hulud, GlassWorm, and other campaigns that have put the development community on the back foot in recent months.  A More Industrialized Social Engineering Landscape Sarah Kern, principal threat researcher at Sophos, says the Axios attack reflects the kind of social engineering campaign the Democratic People's Republic of Korea (DPRK) has been conducting for years. "While it only takes one high-value victim for a widescale attack like we've seen with the Axios supply chain, these threat actors are plotting these schemes full time with the backing of the North Korean regime," she says.  Related:China Upgrades the Backdoor It Uses to Spy on Telcos Globally Aboukhadijeh tells Dark Reading that there has been a meaningful shift, where these kinds of social engineering attacks were historically reserved for high-value individuals like cryptocurrency founders and executives with direct access to money. Yet, "the potential reach changes completely when you point that same playbook at open source maintainers." "One successful compromise doesn't get you one wallet. It gets you write access to a package downloaded hundreds of millions of times a week, with a blast radius that extends to every organization running that code. That's a fundamentally different threat model, and it scales in a way that traditional social engineering never did," Aboukhadijeh says.  As for why this is happening, he says a few things have converged. AI has dramatically lowered the cost of building trust (thanks to the ability for threat actors to generate convincing personas and maintain coherent conversations even with language barriers), ClickFix and similar delivery mechanisms have made payload delivery frictionless, and attacker tooling has matured significantly.  Tom Hegel, distinguished threat researcher at SentinelOne, says attacker operational infrastructure has matured, particularly when speaking of a sophisticated threat actor like a North Korean state-sponsored threat group.  "The slow-burn approach used to be expensive in terms of human attention, which naturally capped scale," he tells Dark Reading. "That constraint is loosening, and we should treat this as a permanent shift in the threat landscape rather than a spike." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Gartner IGA Voice of the Customer 2026 Access More Research Webinars Identity Maturity Under Pressure: 2026 Findings and How to Catch Up Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN More Webinars You May Also Like THREAT INTELLIGENCE Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi MAR 06, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 CYBERATTACKS & DATA BREACHES Not Toying Around: Hasbro Attack May Take 'Weeks' to Remediate byNate Nelson APR 2, 2026 3 MIN READ ENDPOINT SECURITY CrowdStrike Next-Gen SIEM Can Now Ingest Microsoft Defender Telemetry byJeffrey Schwartz APR 3, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE