The Axios supply chain attack used individually targeted social engineering 3rd April 2026 The Axios team have published a full postmortem on the supply chain attack which resulted in a malware dependency going out in a release the other day, and it involved a sophisticated social engineering campaign targeting one of their maintainers directly.
Here’s Jason Saayman’a description of how that worked: so the attack vector mimics what google has documented here: https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering they tailored this process specifically to me by doing the following: - they reached out masquerading as the founder of a company they had cloned the companys founders likeness as well as the company itself. - they then invited me to a real slack workspace. this workspace was branded to the companies ci and named in a plausible manner. the slack was thought out very well, they had channels where they were sharing linked-in posts, the linked in posts i presume just went to the real companys account but it was super convincing etc.
they even had what i presume were fake profiles of the team of the company but also number of other oss maintainers. - they scheduled a meeting with me to connect. the meeting was on ms teams. the meeting had what seemed to be a group of people that were involved. - the meeting said something on my system was out of date. i installed the missing item as i presumed it was something to do with teams, and this was the RAT. - everything was extremely well co-ordinated looked legit and was done in a professional manner. A RAT is a Remote Access Trojan—this was the software which stole the developer’s credentials which could then be used to publish the malicious package. That’s a very effective scam.
I join a lot of meetings where I find myself needing to install Webex or Microsoft Teams or similar at the last moment and the time constraint means I always click “yes” to things as quickly as possible to make sure I don’t join late. Every maintainer of open source software used by enough people to be worth taking in this way needs to be familiar with this attack strategy..