North Korea suspected in weeks-long hijack of major open-source project

A cyberattack believed to be linked to North Korea temporarily took control of one of the most widely used open-source projects on the internet last Monday, following a carefully planned campaign that unfolded over several weeks and specifically targeted the project’s key maintainer.

The compromise of the Axios project on March 31 was made possible by a methodical approach in which well-resourced attackers gradually built trust with their target. By developing rapport and credibility, the attackers increased their chances of successfully breaching the system. The incident highlights the growing security challenges faced by maintainers of widely adopted open-source software, particularly as state-backed hackers and cybercriminal groups increasingly target projects deeply embedded in global applications and systems.

Jason Saayman, who maintains the Axios project that developers rely on to connect applications to the internet, later shared a detailed timeline of the attack. According to his account, the hackers began their efforts roughly two weeks before they ultimately gained access to his computer and used that access to distribute malicious code.

The attackers reportedly posed as a legitimate company, going so far as to set up a convincing Slack workspace and create fake employee profiles to establish authenticity. Through this setup, Saayman was invited to join a web meeting. During the process, he was prompted to download what appeared to be a required update to access the meeting. In reality, the file contained malware.

Saayman explained that the tactic closely resembled known techniques used by North Korean cyber groups, which often involve tricking targets into installing malicious software that grants attackers remote access. These methods are commonly used in operations aimed at stealing cryptocurrency and sensitive data.

Security researchers, including those at Google, have previously linked similar attack patterns to North Korean hacking groups. Saayman noted that this incident followed those same established patterns.

After gaining control of his system, the attackers pushed malicious updates to the Axios project. These compromised versions of the software were available for approximately three hours before being identified and removed on March 31.

Although the malicious packages were quickly taken down, they may have already been downloaded and installed on thousands of systems during that short window. Any system that installed the affected versions could have been exposed to credential theft, including private keys, login details, and passwords, potentially enabling further compromises.

Saayman did not immediately respond to follow-up inquiries regarding additional details of the breach.

North Korean hacking groups continue to rank among the most active cyber threats globally. They have been linked to large-scale cybercrime operations, including the theft of at least $2 billion in cryptocurrency in 2025 alone.

The government led by Kim Jong Un remains under international sanctions and is largely cut off from the global financial system due to its nuclear weapons program. As a result, cyber operations, including cryptocurrency theft, have become a significant source of funding.

Experts believe that North Korea operates a large network of highly organised hackers, many of whom are reportedly compelled to work under strict state control. These groups often spend extended periods conducting sophisticated social engineering campaigns, building trust with targets over weeks or months before launching attacks to steal data, cryptocurrency, and other valuable assets.