A North Korean cyberattack that last Monday briefly hijacked one of the most widely used open source projects on the web took weeks to carry out as part of a long-running campaign to target the code’s top developers.
The hijacking of the Axios project on March 31 was in part successful because it relied on well-resourced hackers building rapport and trust with their intended target over a long period of time to increase their odds of a successful eventual compromise. This kind of hack highlights the security challenges that developers of popular open source projects can face, at a time when government hackers and cybercriminals alike are targeting widely used projects for their ability to access, in some cases, millions of devices worldwide.
Jason Saayman, who maintains the popular Axios project that developers use to connect their apps to the internet, provided a postmortem with a timeline of the hack. He shared that the hackers began their targeting campaign around two weeks before eventually gaining control of his computer to push out malicious code.
By posing as a real company, creating a realistic-looking Slack workspace, and using fake profiles of its employees to build credibility, Saayman said the suspected North Korean hackers then invited him into a web meeting that prompted him to download malware masquerading as an update necessary to access the call. Saayman said the lure mimicked a technique used by North Korean hackers that tricks would-be victims into granting the hackers remote access to their system, often to steal their cryptocurrency.
This attack, Saayman said, mimicked earlier hacks attributed to North Korea by security researchers at Google.
After compromising and gaining remote access to Saayman’s computer, the hackers then released the malicious updates to the Axios project.
The two malicious Axios packages, pulled some three hours after they were first published on March 31, may have still infected thousands of systems during that window, though the full breadth of the mass hack is not yet fully clear. Any computer that installed a malicious version of the software during this time may have allowed the hackers to steal their private keys, credentials, and passwords from that computer, which can lead to further breaches.
Saayman did not immediately respond to an email with questions about the incident.
North Korean hackers remain one of the most active cyber threats on the internet today, blamed for the theft of at least $2 billion in cryptocurrency in 2025 alone.
The Kim Jong Un regime remains under international sanctions and banned from the global financial network for violating a ban on its nuclear weapons development program, which the country funds in large part by launching cyberattacks and stealing cryptocurrency.
North Korea is believed to have thousands of highly organized hackers — the majority of whom are working against their will under the repressive Kim regime. These hackers spend weeks or months carrying out complex social engineering attacks aimed at gaining trust and eventually access to steal cryptocurrency and data to extort their victims.