A cyberattack in North Korea that last Monday briefly seized one of the most widely used open source projects on the Web took weeks to carry out as part of a long-running campaign to target the code’s top developers.
The Axios project hack on March 31 was successful in part because it relied on well-equipped hackers building relationships and trust with their intended target over a long period of time to increase their chances of a successful final compromise. This kind of hack highlights the security challenges developers of popular open source projects can face as government hackers and cybercriminals target widely used projects for their ability to access, in some cases, millions of devices worldwide.
Jason Saayman, who maintains the popular Axios project that developers use to connect their applications to the Internet, provided a necropsy with a timeline of the hack. He shared that the hackers began their targeting campaign about two weeks before they finally gained control of his computer to push the malicious code.
Posing as a real company, creating a realistic Slack workspace and using fake profiles of its employees to build credibility, Saayman he said The suspected North Korean hackers then invited him to an online meeting that prompted him to download malware disguised as an update necessary to access the call. Saayman said the lure mimics a technique used by North Korean hackers to trick would-be victims into giving hackers remote access to their system, often to steal their cryptocurrency.
This attack, Saayman said, mimicked earlier hacks attributed to North Korea by Google security researchers.
After compromising and gaining remote access to Saayman’s computer, the hackers then released the malicious updates to the Axios project.
The two Axios malicious packages, pulled about three hours after they were first published on March 31, may still have infected thousands of systems during that window, though the full scope of the massive intrusion is not yet fully clear. Any computer that installed a malicious version of the software during this time may have allowed hackers to steal private keys, credentials, and passwords from that computer, which could lead to further breaches.
Saayman did not immediately respond to an email with questions about the incident.
North Korean hackers remain one of the most active cyber threats on the internet today, accused of stealing at least $2 billion in cryptocurrencies in 2025 alone.
The Kim Jong Un regime remains under international sanctions and is banned from the global financial network for violating a ban on its nuclear weapons development program, which the country largely finances by launching cyber attacks and stealing cryptocurrencies.
North Korea is believed to be in the thousands of highly organized hackers — the majority of whom work against their will under the repressive Kim regime. These hackers spend weeks or months performing complex social engineering attacks with the goal of gaining trust and ultimately access to steal cryptocurrency and data to blackmail their victims.
