North Korea-Linked Operators Launch Sophisticated Social Engineering Campaign Against Top NPM Package Maintainers

Summary

A coordinated social engineering campaign attributed to UNC1069, a North Korea-nexus financially motivated threat actor, is systematically targeting maintainers of the most widely used npm packages, including Fastify, Lodash, buffer, dotenv, Express, and mocha. The attackers employ an elaborate multi-stage playbook that impersonates legitimate companies through fake Slack workspaces, LinkedIn messages, and podcast booking invitations, with carefully timed interactions designed to evade phishing detection heuristics. The campaign culminates in a fake video meeting where victims are prompted to either click malicious links or paste terminal commands, resulting in the installation of a remote access trojan (RAT) that can exfiltrate npm authentication tokens, AWS credentials, browser sessions, and keychain contents.

At least ten high-impact maintainers have confirmed they were targeted by the same operators, including Socket CEO Feross Aboukhadijeh, Fastify lead maintainer Matteo Collina, Lodash creator John-David Dalton, and dotenv creator Scott Motte. The packages these developers maintain collectively see billions of downloads per month from the npm registry, which processes trillions of downloads annually. The attackers' ultimate objective is to gain write access to the npm registry itself, which would enable them to publish malicious packages to the entire JavaScript ecosystem. Once a RAT is installed on a developer's machine, two-factor authentication becomes irrelevant, as the attacker can directly access post-authentication session state and npm authentication tokens.

• At least ten prominent maintainers of packages with billions of monthly downloads have been targeted, representing an existential threat to the security of the entire JavaScript ecosystem