Find notable cyber news and cases, enriched with sources, timelines, and signals.

UNC1069 open-source maintainer social-engineering campaign

Campaign
First reported
Last updated
Happening score
H score 38
2 unique sources, 2 articles

Summary

Hide ▲

UNC1069's coordinated social-engineering campaign against Node.js and npm maintainers has widened, with multiple developers reporting the same lure pattern and the potential to compromise widely used packages. The attackers used LinkedIn, Slack, and fake Microsoft Teams errors to build trust, move targets into staged workspaces, and trick them into installing updates or running commands. The campaign matters because successful credential theft can let attackers seed malicious releases into projects with billions of weekly downloads and trigger downstream supply-chain compromise.

Related Happenings

Mastra @mastra/* npm packages hit by network compromise

Incident
H score47 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...

Latest development: 20.06.2026 17:09

Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.

Contagious Interview UNK_DeadDrop GitHub phishing campaign

Campaign
H score37 First: 15.06.2026 22:32 Last: 15.06.2026 22:32 Sources 1

About this happening: The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...

Microsoft hit by cyberattack

Incident
H score68 First: 09.06.2026 18:42 Last: 09.06.2026 18:42 Sources 1

About this happening: A **Microsoft** GitHub repository removal incident in **June 2026** disrupted **continuous integration pipelines** and briefly broke **Azure/functions-action** workflows used by d...

Miasma self-replicating supply chain attack campaign targeting open-source repositories

Campaign
H score83 First: 06.06.2026 09:58 Last: 06.06.2026 09:58 Sources 1

About this happening: The **Miasma** self-replicating supply-chain campaign has reached **73 Microsoft repositories** across **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs** on **GitH...

Hola Browser hit by network compromise

Incident
H score15 First: 05.06.2026 00:27 Last: 05.06.2026 00:27 Sources 1

About this happening: The **Windows version of Hola Browser** suffered a **supply chain compromise** that pushed an undeclared **cryptocurrency miner**, exposing some users to unwanted code execution a...

Timeline

  1. 06.04.2026 23:55 1 articles · 3mo ago

    UNC1069 widens social engineering campaign against open-source maintainers

    Campaign Scope Update

    Security researcher Taylor Monahan and Socket reported that members of the open source software community, including Socket engineers and CEO Feross Aboukhadijeh, were targeted by the same slow-burn LinkedIn, Slack, and Microsoft Teams social engineering playbook used against Axios maintainer Jason Saayman, indicating the campaign was wider than a single Axios compromise.

    Show sources
  2. 04.04.2026 23:30 1 articles · 3mo ago

    Axios maintainer compromise disclosed with UNC1069 attribution

    Initial Disclosure

    A targeted social engineering campaign compromised an Axios maintainer account, used a fake Microsoft Teams update to install RAT malware and steal npm credentials, and pushed malicious Axios 1.14.1 and 0.30.4 releases that injected plain-crypto-js on macOS, Windows, and Linux; the malicious versions stayed available for roughly three hours before removal, the Axios maintainers wiped affected systems and reset credentials, and Google later linked the activity to UNC1069 using WAVESHAPER.V2 and infrastructure overlaps.

    Show sources