A cyberattack from North Korea that briefly took over a major open source web project last Monday was the culmination of a prolonged effort aimed at targeting the top developers of the code.
The takeover of the Axios project on March 31 succeeded, partly due to the hackers’ extensive efforts to build trust with their target over time, improving their chances of a successful breach. This situation underscores the security risks faced by developers of popular open source projects, which are increasingly targeted by government hackers and cybercriminals because of their potential reach to millions of devices worldwide.
Jason Saayman, who oversees the Axios project used by developers to connect apps to the internet, detailed a timeline of the hack in a post-mortem. He explained that the attackers started their campaign about two weeks before seizing control of his computer to insert malicious code.
By pretending to be a legitimate company with a convincing Slack workspace and fake employee profiles, the North Korean hackers invited Saayman to a web meeting, deceiving him into downloading malware disguised as a necessary update. Saayman noted that this tactic mirrored a known method used by North Korean hackers to gain remote system access and often steal cryptocurrency.
This attack, according to Saayman, was similar to previous intrusions linked to North Korea by Google’s security researchers.
Once they had remote access to Saayman’s computer, the hackers issued malicious updates to the Axios project.
Although the two harmful Axios packages were removed about three hours after their publication on March 31, they might have still affected thousands of systems during that time. Any computer installing the tainted software version could have exposed its private keys, credentials, and passwords, leading to additional compromises.
Saayman did not respond immediately to questions about the incident sent via email.
North Korean hackers remain a significant online threat, responsible for stealing at least $2 billion in cryptocurrency in 2025 alone.
The regime of Kim Jong Un is under international sanctions and barred from the global financial system due to its nuclear weapons program violations, funding a substantial part of these activities through cyberattacks and cryptocurrency theft.
North Korea reportedly has thousands of highly organized hackers, most of whom operate under duress from the Kim regime. These hackers spend extensive time on complex social engineering attacks, aiming to gain trust and eventual access for currency and data theft to extort their victims.