A coordinated group of hackers is currently targeting Open Source Maintainers, particularly those managing Node.js and npm, following a high-profile attack on the popular Axios npm package.
Security experts at Socket investigated these attacks, identifying that hackers are using social engineering techniques to initiate contact through LinkedIn or Slack, posing as recruiters or podcast hosts under fake company profiles and using fake meeting sites that look exactly like Microsoft Teams or Zoom.
How the Trick Works
According to Socket’s research, these scammers are very patient, as they spend weeks building rapport before sending the suspicious link. For example, on 5 March 2026, a developer named Jean Burellier was contacted on LinkedIn by someone posing as a representative of Openfort, and wasn’t invited to a call until 23rd March, via a fake link that appeared to be teams.microsoft.com but redirected to a copycat site, teams.onlivemeet.com.
During the call, they pretend there is a technical glitch and ask the expert to download a small fix. This file is actually a remote access trojan (RAT), which gives hackers total control over the victim’s computer. The attackers’ ultimate goal is to steal the maintainer’s credentials to gain “write access” to their projects, to push malicious code directly into the official software updates
“There’s A LOT leading up to the call. It’s not urgent, pressing, or suspicious at all. It’s not a one-click, get phished. They’ll schedule a call for next week and then reschedule it for the week after. It’s crazy disarming,” Socket’s security researcher Tay (@tayvano_) explained.
Key Targets
The attackers used a spoofed Streamyard platform to trick Pelle Wessman, a maintainer of Mocha, into downloading a virus. Another expert, Matteo Collina, nearly fell for a Slack message on 2 April, while others like Scott Motte (creator of dotenv) and John-David Dalton (creator of Lodash) were also targeted. They even went after Socket CEO Feross Aboukhadijeh, the creator of WebTorrent and buffer, who noted that this type of targeting is becoming the “new normal.”
A New Level of Danger
This is a challenging situation because while most of us think two-factor authentication (2FA) is enough, researchers explained that a hacker can bypass these security steps entirely by obtaining deep access using tools like WAVESHAPER or HYPERCALL.
Behind this chaos is a financially motivated North Korean group, UNC1069. Google has formally blamed UNC1069 for the recent Axios attack, noting that it is a cluster of hackers with “deep experience with supply chain attacks.”
As per Socket’s research, UNC1069 is not chasing individual victims anymore, as they have likely realised that compromising just one person who manages a popular tool allows them to automatically reach millions of users at once.
While experts are the targets, it’s the everyday users who end up with the malware. Therefore, maintainers should be wary of any invite requiring software installs, while the rest of us must keep our systems updated to stay safe.
