TL;DR—

  • What happened: North Korea-linked threat actors targeted a maintainer of axios—one of the most downloaded JavaScript libraries on Earth—using a multi-day social engineering campaign via Slack before sending a fake Zoom meeting link with broken audio.
  • One human mistake—a maintainer who keeps open-source code available for anyone to use, who thought they were networking with a real company and opportunity—put every developer who ran npm install during that window at potential risk.
  • What you can do:
    • Vet unfamiliar companies before engaging in meetings—check age of website, LinkedIn presence, and any mutual contacts.
    • Treat meeting links like phishing links—check the domain before clicking.
    • Never download a script to fix a video call—legitimate video call platforms don’t work that way.
    • If a video call isn’t working, don’t troubleshoot it—hop on a phone call or send a known-good meeting link you control.
  • Want to go deeper? Fable’s ebook “One ish, two ish: How to prevent modern phishing” covers more modern social engineering attacks like this one—no email required.

Google: North Korean attackers hijacked a wildly popular NPM package by first hijacking a human

On March 31, 2026, Google’s Threat Intelligence Group reported that North Korean threat actors from UNC1069 had successfully compromised axios—the most popular JavaScript HTTP library in existence, with over 100 million weekly downloads—by slipping a malicious dependency called “plain-crypto-js” into axios versions 1.14.1 and 0.30.4.

They did this by first dedicated significant resources into an involved social engineering attack against the library’s maintainer, which by now follows a fairly standard script for UNC1069 threat actors.

Stage 1—The Setup: A fake company that looked real enough.

Attackers created a convincing company persona—a real-looking Slack presence, the appearance of legitimacy. 

The fake company was purpose-built to pass a casual inspection, complete with enough surface-area credibility and realistic responses to get a busy open source maintainer to keep replying.

This wasn’t a cold email from a stranger; this attack was prompted after a relationship grew from believable foundations.

Stage 2—The Trust Build: Days of normal conversation.

UNC1069 didn’t rush. They spent days—possibly over a week—in normal, collegial back-and-forth. Low stakes. Friendly. 

This is slow-burn social engineering: patience deployed as a weapon. 

By the time the meeting invite arrived, it didn’t feel like a cold ask. It felt like a natural next step.

Stage 3—The Fake Meeting: Everything looked real except the audio.

The meeting link didn’t take the victim to Zoom or Google Meet. 

It took the maintainer to a fake video conferencing page built to mimic the look and feel of a legitimate call, but the fake version deliberately broke the audio.

That’s when the page served up a prompt to download a “fix.”

Stage 4—The Double Reassurance: “It’s normal.”

This moment elevated the attack from clever to genuinely scary. 

At the exact moment the victim was being prompted to download a malicious script, the attackers in the chat window were actively telling them it was safe—the same people the maintainer had grown to trust over a week.

The technical lure and the human reassurance hit simultaneously. Both the interface and the people the victim now trusted were saying the same thing: download this, it’s fine.

Unfortunately, it wasn’t fine, and we’re still cleaning up the supply chain from aftershocks.

How to avoid more extended social engineering attacks and fake meeting links like the axios compromise

The good news: this attack required two specific actions from the victim, and both are preventable. You don’t need to become a paranoid hermit — you need two new instincts.

  • Vet the company before you meet. A Slack message from a legitimate-sounding company isn’t the same thing as a legitimate company. 
    • Check the website’s age (free tools like WHOIS can tell you when a domain was registered). 
    • Look for the company on LinkedIn. Ask yourself: does anyone I trust know these people? Do they post? How long have they been active?
    • Check the online footprint of the person talking to you. Can you independently verify anything they’ve told you? Does a reverse image search show you a different person’s profile, or someone similar? Does it feel “generated”?

       

  • Treat every meeting link like a phishing link. Calendar invites are the new phishing lures. 
    • Before you click “Join,” look at the domain in the URL. Real Zoom meetings go to zoom.us. Real Teams calls go to teams.microsoft.com. 
    • If the domain looks unfamiliar, generic, or off by a character—don’t click. Send the host a new link that you generated instead.

       

  • No legitimate video platform requires a downloaded script to fix audio. Full stop. If a meeting site is asking you to download something to make it work, the meeting site is the attack. Close the tab. This is not a gray area.

     

  • If the video call isn’t working, change the medium. Don’t troubleshoot an unfamiliar meeting link. 
    • Instead, pick up the phone for an old-fashioned voice call, or send a Teams or Zoom link you generated yourself.
  • Report early—these attacks depend on time pressure and trust. If something feels off—a strange download prompt, an audio issue that seems engineered, a chat message reassuring you that an unusual action is normal—report it to your security team before you do anything else. 
    • The attack relies on the target resolving the “problem” quickly and privately. Slowing down and looping in someone else breaks the kill chain.

To learn more about how social engineering attacks like this one are built, check out Fable Security’s free ebook, “One ish, two ish: How to prevent modern phishing” — no email required.

And feel free to download this free video briefing to share this emerging threat with your employees now, before DPRK reaches out again.