North Korean Hackers Staged Weeks-Long Operation to Poison Popular Axios Open Source Library

On March 31, North Korean state-sponsored hackers executed a sophisticated supply chain attack against the Axios open source library, compromising the widely used JavaScript library after a meticulously planned two-week social engineering campaign targeting its lead maintainer, Jason Saayman. The incident underscores the escalating threat posed by North Korea’s cyber operations—not only to cryptocurrency firms but to the global digital infrastructure that underpins millions of applications, websites, and services. By hijacking a project downloaded over 22 million times weekly, the hackers demonstrated how malicious actors can weaponize trust in open source ecosystems, a cornerstone of modern software development.

• North Korean hackers compromised the Axios library on March 31 after a two-week social engineering campaign against maintainer Jason Saayman.
• The attackers used fake company profiles, a bogus Slack workspace, and a malware-laced meeting invite to gain remote access to Saayman’s computer.
• Two malicious Axios packages were published and may have infected thousands of systems before being removed within three hours.
• The attack follows a broader trend of state-backed groups targeting open source projects to distribute malware or steal cryptocurrency and sensitive data.
• Experts warn this incident highlights systemic vulnerabilities in the software supply chain, where a single compromised package can cascade across global infrastructure.

How a Two-Week Trust Campaign Enabled a Supply Chain Hijack

The North Korean operation began not with code, but with a carefully orchestrated infiltration of trust. According to Jason Saayman’s postmortem analysis, hackers initiated contact with him around March 17, 2025, posing as representatives of a legitimate software company. Over the course of two weeks, they cultivated a facade of professionalism, creating a fake Slack workspace and populating it with convincingly detailed profiles of employees—some of whom appeared to have social media and GitHub presences—all designed to mirror a real tech firm. Security researchers have linked the tactics to known North Korean cyber units, particularly those operating under the Reconnaissance General Bureau (RGB), North Korea’s primary foreign intelligence agency.

The culmination of this campaign came on March 31, when the hackers invited Saayman to a ‘critical project review meeting’ via a Zoom-like platform. During the session, Saayman was prompted to download what appeared to be an essential software update—actually a remote access trojan disguised as a meeting client plug-in. Once installed, the malware granted the attackers full control over Saayman’s development environment. Within minutes, they pushed malicious updates to the Axios package, embedding backdoors that could exfiltrate sensitive data, including private keys, credentials, and API tokens.

Why Open Source Projects Are Prime Targets for State Hackers

Open source software has become the backbone of the digital economy, powering everything from cloud infrastructure to mobile apps. The Axios library alone, a lightweight HTTP client for JavaScript, is downloaded approximately 22 million times per week and integrated into countless applications, including those used by major corporations and government agencies. This ubiquity makes open source repositories irresistible targets for cybercriminals and state actors alike. According to a 2024 report by the Open Source Security Foundation (OpenSSF), supply chain attacks targeting open source software increased by 634% between 2020 and 2024, with North Korea accounting for a significant portion of these incidents.

Unlike traditional malware campaigns that rely on phishing emails or exploit kits, supply chain attacks compromise the software itself—distributing malicious code through trusted channels. When developers pull a package like Axios, they unknowingly inherit any embedded malicious payloads. In this case, the North Korean hackers leveraged the compromised package to steal cryptographic secrets, which could then be used to access wallets, databases, or corporate networks. This method is particularly effective because it bypasses traditional defenses focused on endpoint security, instead attacking the very foundation of software trust.

North Korea’s Cyber Army: A Billion-Dollar Threat Operating in the Shadows

North Korea’s cyber operations are not the work of rogue hackers but a highly organized, state-directed apparatus designed to evade international sanctions and fund the regime’s nuclear and missile programs. According to the United Nations Panel of Experts on North Korea, Pyongyang’s cybercrime network generated at least $2 billion in stolen cryptocurrency in 2024 alone—a figure that analysts believe will rise in 2025. These funds are laundered through front companies, mixers, and cryptocurrency exchanges in Southeast Asia and Eastern Europe, then funneled back into the regime’s weapons development and military modernization efforts.

The hacking teams, often referred to collectively as the ‘Lazarus Group’ by cybersecurity firms like Mandiant and Google’s Threat Analysis Group, operate under the auspices of the Reconnaissance General Bureau (RGB). Estimates suggest that North Korea employs between 5,000 and 7,000 cyber operatives, many of whom are conscripted from elite universities and trained at state-run cyber academies. These operatives are not volunteers; reports from defectors and human rights organizations indicate that many are coerced into service and face severe punishment for failure or defection. Their missions range from cryptocurrency theft to espionage against South Korea, the United States, and allied nations.

From Phishing to Supply Chain: The Evolution of North Korean Cyber Tactics

The Axios attack represents a maturation of North Korea’s cyber strategy, shifting from opportunistic ransomware and phishing campaigns to highly targeted, long-term operations. Early North Korean cyberattacks, such as the 2014 Sony Pictures hack, were loud and destructive, designed to send political messages. More recent campaigns, however, have become stealthier and more patient. In 2023, Google’s Threat Analysis Group reported that North Korean hackers had spent months infiltrating South Korean software companies, embedding malware in legitimate updates before pivoting to cryptocurrency theft.

The Axios operation mirrors tactics observed in earlier incidents, such as the 2022 compromise of the 3CX VoIP software supply chain, which was also attributed to North Korea. In both cases, attackers spent weeks or months building trust with targets, using realistic personas and fake workspaces to lower defenses. Security researchers at Palo Alto Networks’ Unit 42 have noted that these campaigns often begin with reconnaissance on LinkedIn, GitHub, or other professional platforms, where hackers identify potential victims based on their roles in open source projects or cryptocurrency infrastructure.

‘This is not a one-off incident—it’s part of a broader shift in how nation-state actors engage with the software supply chain. Open source maintainers are now on the front lines of geopolitical conflict. The Axios attack wasn’t just about stealing code; it was about stealing trust.’ — Jason Saayman, maintainer of the Axios library

The Human Cost: What the Axios Hack Means for Developers and Users

For Jason Saayman, the emotional and professional toll of the attack has been profound. In a public postmortem shared days after the incident, he described the violation of trust—not just as a developer, but as a guardian of a tool used by millions. ‘I wake up every day wondering if someone else’s system is compromised because of something I helped build,’ Saayman wrote. His experience reflects a growing crisis in the open source community, where maintainers of popular projects are increasingly targeted not just for their code, but for the access it grants to downstream systems.

The broader implications are equally concerning. According to Sonatype’s 2025 State of the Software Supply Chain report, 68% of organizations experienced a supply chain attack in the past 12 months, with open source components serving as the primary attack vector in 42% of cases. The Axios incident demonstrates how a single compromised package can cascade through global infrastructure. For example, if a malicious Axios version had been integrated into a banking application or a government portal, the consequences could have extended far beyond cryptocurrency theft—potentially enabling espionage, data breaches, or sabotage.

Defending the Digital Commons: Can Open Source Survive the Age of State-Sponsored Attacks?

In the wake of the Axios attack, the open source community and cybersecurity experts are grappling with a fundamental question: How can the digital commons—built on principles of transparency and collaboration—be protected in an era where trust is weaponized? The answer lies in a combination of technical safeguards, organizational reforms, and international cooperation. Projects like the Open Source Security Foundation (OpenSSF) have proposed solutions such as mandatory code signing, enhanced package verification, and the establishment of a ‘digital immune system’ for critical open source components.

Some industry leaders are calling for stricter vetting of contributors, particularly for maintainers of high-impact projects like Axios. Others advocate for decentralized governance models, where decision-making authority is distributed among multiple maintainers to reduce the risk of single points of failure. The Linux Foundation’s OpenSSF Scorecard, for instance, now evaluates open source projects based on their security practices, including whether they enforce multi-factor authentication for maintainers or conduct regular dependency audits.

Government and Industry Responses to Rising Threats

Governments are also taking notice. In March 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a binding operational directive requiring federal agencies to inventory and monitor all open source dependencies in their software supply chains. The directive, part of the Biden administration’s broader push to strengthen software supply chain security, mandates the use of software bills of materials (SBOMs) and continuous vulnerability scanning. Similar measures are being adopted in the European Union and Japan, reflecting a global consensus on the need for stricter oversight.

Private sector responses have been equally swift. GitHub, the world’s largest code hosting platform, announced in April 2025 that it would integrate AI-driven anomaly detection into its package registry, flagging suspicious uploads or behavior patterns that resemble known supply chain attack tactics. Meanwhile, companies like Google and Microsoft have increased funding for open source security initiatives, including the $10 million OpenSSF Alpha-Omega project, which aims to identify and remediate vulnerabilities in critical open source projects.

What Comes Next: The Future of Open Source Security

The Axios attack may be over, but the implications will reverberate for years. As state-sponsored hackers continue to refine their tactics, the open source community faces a stark choice: adapt or risk becoming an unwitting accomplice in cyber warfare. For maintainers like Jason Saayman, the path forward involves not just technical hardening but a cultural shift—one where transparency is balanced with vigilance, and trust is earned, not assumed.

Yet the challenge extends beyond individual projects. The global software supply chain is a complex, interconnected web, and no single organization or government can secure it alone. Solving this crisis will require collaboration across borders, industries, and disciplines—from diplomats negotiating cyber norms to developers writing more secure code, and from regulators enforcing accountability to end users demanding safer software. The Axios incident is a warning, but it is also an opportunity to build a more resilient digital future.

Key Takeaways

• North Korea’s March 31 hijack of the Axios open source library was the result of a two-week social engineering campaign targeting maintainer Jason Saayman, culminating in the distribution of malicious packages.
• The attack highlights the vulnerability of the global software supply chain, where a single compromised package can expose millions of systems to data theft and espionage.
• State-sponsored actors, particularly North Korea’s Reconnaissance General Bureau, are increasingly targeting open source projects to steal cryptocurrency, credentials, and sensitive data.
• The open source community and governments are responding with technical safeguards like code signing, SBOMs, and AI-driven anomaly detection, but systemic change remains a work in progress.
• The incident underscores the urgent need for a collaborative, multi-stakeholder approach to securing the digital commons in an era of escalating cyber threats.