Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

UNC1069 open-source maintainer social-engineering campaign

Campaign
First reported
Last updated
Happening score
H score 41
2 unique sources, 2 articles

Summary

Hide ▲

UNC1069's coordinated social-engineering campaign against Node.js and npm maintainers has widened, with multiple developers reporting the same lure pattern and the potential to compromise widely used packages. The attackers used LinkedIn, Slack, and fake Microsoft Teams errors to build trust, move targets into staged workspaces, and trick them into installing updates or running commands. The campaign matters because successful credential theft can let attackers seed malicious releases into projects with billions of weekly downloads and trigger downstream supply-chain compromise.

Related Happenings

TeamPCP supply-chain ecosystem shift and extortion partnerships

Threat Actor Meta
First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: **TeamPCP** has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has **corrupted hu...

Open Happening

TeamPCP opens its offensive framework to copycat supply-chain attackers

Threat Actor Meta
First: 19.05.2026 07:54 Last: 19.05.2026 07:54 Sources 1

About this happening: **TeamPCP** has started distributing its **offensive framework source code**, turning a single supply-chain operation into reusable tradecraft that other threat actors can adopt....

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Inactive maintainer account 'atiertant' hit by network compromise

Incident
First: 15.05.2026 20:10 Last: 15.05.2026 20:10 Sources 1

About this happening: The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...

Open Happening

TeamPCP campaign expands across multiple victims

Campaign
First: 15.05.2026 13:54 Last: 15.05.2026 13:54 Sources 1

About this happening: The **TeamPCP / Mini Shai-Hulud** supply-chain operation is actively compromising **hundreds of packages**, exposing **downstream developers** to **malware delivery** and **creden...

Open Happening

Timeline

  1. 06.04.2026 23:55 1 articles · 1mo ago

    UNC1069 widens social engineering campaign against open-source maintainers

    Campaign Scope Update

    Security researcher Taylor Monahan and Socket reported that members of the open source software community, including Socket engineers and CEO Feross Aboukhadijeh, were targeted by the same slow-burn LinkedIn, Slack, and Microsoft Teams social engineering playbook used against Axios maintainer Jason Saayman, indicating the campaign was wider than a single Axios compromise.

    Show sources
    Open in new tab
  2. 04.04.2026 23:30 1 articles · 1mo ago

    Axios maintainer compromise disclosed with UNC1069 attribution

    Initial Disclosure

    A targeted social engineering campaign compromised an Axios maintainer account, used a fake Microsoft Teams update to install RAT malware and steal npm credentials, and pushed malicious Axios 1.14.1 and 0.30.4 releases that injected plain-crypto-js on macOS, Windows, and Linux; the malicious versions stayed available for roughly three hours before removal, the Axios maintainers wiped affected systems and reset credentials, and Google later linked the activity to UNC1069 using WAVESHAPER.V2 and infrastructure overlaps.

    Show sources
    Open in new tab