North Korea’s hacking of one of the most widely used open source projects on the web may have been weeks in the making
A North Korean cyberattack last Monday briefly hijacked one of the web’s most widely used open-source projects, weeks in the making as part of a long-running campaign to target top code developers.
The hacking of the Axios project on March 31 was successful in part because it relied on hackers with the tools to build rapport and trust with their long-term targets to increase their chances of an eventual successful compromise. This type of hacking highlights the security challenges developers of popular open source projects can face, at a time when government hackers and hackers alike are targeting widely used projects to gain access to, in some cases, millions of devices worldwide.
Jason Saayman, who maintains the popular Axios project that developers use to connect their applications to the Internet, provided an autopsy with a hacking timeline. He revealed that the hackers began their targeting campaign about two weeks before they finally managed to gain control of his computer to execute malicious code.
By pretending to be a real company, creating a realistic-looking Slack workspace, and using fake profiles of its employees to build credibility, Saayman said the suspected North Korean hackers then invited him to a web meeting that prompted him to download the malware that created the update needed to access the phone. Saayman said the lure mimics a technique used by North Korean hackers who trick potential victims into giving hackers remote access to their system, often to steal their cryptocurrency.
The attack, Saayman said, mimicked an earlier hack by North Korea by Google security researchers.
After being taken down and gaining remote access to Saayman’s computer, the hackers then released malicious updates to the Axios project.
The two Axios malicious packages, which lasted three hours after they were first published on March 31, may still have infected thousands of systems in that window, although the full scope of the multiple hacks is still not entirely clear. Any computer that has a malicious version of the software installed during this time may allow hackers to steal their private keys, credentials, and passwords from that computer, which could lead to further breaches.
Saayman did not immediately respond to an email with questions about the incident.
North Korean hackers remain one of the most active cyber threats on the Internet today, suspected of stealing at least two billion dollars in cryptocurrencies in 2025 alone.
Kim Jong Un’s regime remains under international sanctions and is banned from the global financial network for violating the ban on its nuclear weapons development program, which the country has funded primarily by launching cyber attacks and stealing cryptocurrency.
North Korea is believed to have thousands of highly organized hackers – many of whom operate against its will under the repressive Kim regime. These hackers spend weeks or months creating sophisticated social engineering attacks aimed at gaining trust, and ultimately access, to steal cryptocurrency and data to defraud their victims.
