UNC1069 open-source maintainer social-engineering campaign
Campaign
Summary
Hide ▲
Show ▼
UNC1069's coordinated social-engineering campaign against Node.js and npm maintainers has widened, with multiple developers reporting the same lure pattern and the potential to compromise widely used packages. The attackers used LinkedIn, Slack, and fake Microsoft Teams errors to build trust, move targets into staged workspaces, and trick them into installing updates or running commands. The campaign matters because successful credential theft can let attackers seed malicious releases into projects with billions of weekly downloads and trigger downstream supply-chain compromise.
Related Happenings
Mastra @mastra/* npm packages hit by network compromise
Incident
H score47
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
**Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Mastra @mastra/* npm packages hit by network compromise
IncidentAbout this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Latest development: 20.06.2026 17:09
Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.
Contagious Interview UNK_DeadDrop GitHub phishing campaign
Campaign
H score37
First: 15.06.2026 22:32
Last: 15.06.2026 22:32
Sources 1
About this happening:
The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
Contagious Interview UNK_DeadDrop GitHub phishing campaign
CampaignAbout this happening: The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
Microsoft hit by cyberattack
Incident
H score68
First: 09.06.2026 18:42
Last: 09.06.2026 18:42
Sources 1
About this happening:
A **Microsoft** GitHub repository removal incident in **June 2026** disrupted **continuous integration pipelines** and briefly broke **Azure/functions-action** workflows used by d...
Microsoft hit by cyberattack
IncidentAbout this happening: A **Microsoft** GitHub repository removal incident in **June 2026** disrupted **continuous integration pipelines** and briefly broke **Azure/functions-action** workflows used by d...
Miasma self-replicating supply chain attack campaign targeting open-source repositories
Campaign
H score83
First: 06.06.2026 09:58
Last: 06.06.2026 09:58
Sources 1
About this happening:
The **Miasma** self-replicating supply-chain campaign has reached **73 Microsoft repositories** across **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs** on **GitH...
Miasma self-replicating supply chain attack campaign targeting open-source repositories
CampaignAbout this happening: The **Miasma** self-replicating supply-chain campaign has reached **73 Microsoft repositories** across **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs** on **GitH...
Hola Browser hit by network compromise
Incident
H score15
First: 05.06.2026 00:27
Last: 05.06.2026 00:27
Sources 1
About this happening:
The **Windows version of Hola Browser** suffered a **supply chain compromise** that pushed an undeclared **cryptocurrency miner**, exposing some users to unwanted code execution a...
Hola Browser hit by network compromise
IncidentAbout this happening: The **Windows version of Hola Browser** suffered a **supply chain compromise** that pushed an undeclared **cryptocurrency miner**, exposing some users to unwanted code execution a...
Timeline
-
06.04.2026 23:55 1 articles · 3mo ago
UNC1069 widens social engineering campaign against open-source maintainers
Campaign Scope UpdateSecurity researcher Taylor Monahan and Socket reported that members of the open source software community, including Socket engineers and CEO Feross Aboukhadijeh, were targeted by the same slow-burn LinkedIn, Slack, and Microsoft Teams social engineering playbook used against Axios maintainer Jason Saayman, indicating the campaign was wider than a single Axios compromise.
Show sources
- Axios Attack Shows Social Complex Engineering Is Industrialized — www.darkreading.com — 06.04.2026 23:55
-
04.04.2026 23:30 1 articles · 3mo ago
Axios maintainer compromise disclosed with UNC1069 attribution
Initial DisclosureA targeted social engineering campaign compromised an Axios maintainer account, used a fake Microsoft Teams update to install RAT malware and steal npm credentials, and pushed malicious Axios 1.14.1 and 0.30.4 releases that injected plain-crypto-js on macOS, Windows, and Linux; the malicious versions stayed available for roughly three hours before removal, the Axios maintainers wiped affected systems and reset credentials, and Google later linked the activity to UNC1069 using WAVESHAPER.V2 and infrastructure overlaps.
Show sources
- Axios npm hack used fake Teams error fix to hijack maintainer account — www.bleepingcomputer.com — 04.04.2026 23:30