DPRK OSS Maintainer Targeting: Social Engineering as Supply Chain Vector

Key Takeaways

North Korea’s state-sponsored cyber apparatus has executed a deliberate, multi-year pivot away from direct intrusions against individual organizations toward a force-multiplication strategy: compromise the developers who build and maintain the open source software that millions of organizations depend on. This strategic shift, documented across campaigns from 2022 through March 2026, reflects a strategic shift toward maintainer targeting that treats the open source dependency graph as a primary attack surface—one where a single maintainer account can provide downstream reach that no direct organizational intrusion could match.

The pattern manifests through two complementary approaches. In the external social engineering track, DPRK-affiliated actors build credible technical personas—sometimes over months or years—before exploiting the trust gained to deliver malicious payloads through compromised maintainer credentials or legitimate-looking collaboration invitations. In the parallel insider placement track, DPRK’s “IT worker” program plants operatives inside technology firms as legitimate remote employees, achieving the same privileged access to code repositories and publishing pipelines without any social engineering barrier at all. The March 31, 2026 compromise of the axios npm package—which receives over 100 million weekly downloads and is a dependency of countless JavaScript applications—represents the clearest proof-of-concept to date that this strategy can achieve global-scale impact from a single maintainer account [1].

Organizations that depend on open source software cannot treat this as a vendor or registry problem alone. The attack surface includes every maintainer relationship in their dependency graph, and the defenses required span developer identity verification, dependency integrity controls, and supply chain monitoring capabilities that most organizations have not yet deployed.

Background

Strategic Logic Behind Maintainer Targeting

The Reconnaissance General Bureau (RGB), North Korea’s primary cyber intelligence organization, operates several overlapping threat actor groups that collectively conduct cryptocurrency theft, espionage, and increasingly, supply chain operations. The most prominent among them—variously tracked as TraderTraitor (CISA/FBI), JADE SLEET (Microsoft), Labyrinth Chollima (CrowdStrike), and UNC4899 (Mandiant)—began their documented focus on developer targeting around 2022, with campaigns that have grown in both scale and ambition since [2][3][24].

A large organization protecting its production systems with mature endpoint detection, network segmentation, and privileged access controls presents a significant intrusion challenge. But if the libraries that organization’s developers install every day can be trojanized at the registry level, those defenses become irrelevant. The attacker bypasses the perimeter entirely by poisoning the supply that flows through it. When the target package has 100 million weekly downloads, a single successful maintainer compromise reaches a vastly larger pool of potential victims than any targeted intrusion could produce—creating asymmetric leverage that explains the strategic investment DPRK has made in this approach.

DPRK’s financial imperatives reinforce this strategy. The programs responsible for these operations are substantially self-funding—cryptocurrency theft enabled by prior developer-targeting campaigns generated $1.34 billion across 47 hacks in 2024 alone, representing 61% of all cryptocurrency stolen globally that year [4][22][25]. The scaling of OSS supply chain attacks into 2025 and 2026 reflects the same logic applied to an even broader target surface.

The xz-utils Precedent

No case study better illustrates the method than the xz-utils backdoor (CVE-2024-3094, CVSS 10.0), discovered on March 29, 2024 by Andres Freund, a Microsoft engineer who noticed anomalous SSH performance on a Debian system [5]. Though no state actor has been definitively and publicly attributed for this campaign, the case has become essential reference material because it documents—in meticulous technical detail—the long-horizon trust-building methodology that security researchers have since identified as a structural parallel to DPRK-attributed operations. Whether or not Jia Tan was a state-sponsored actor, the case established that this class of operation is feasible at scale.

Beginning in late 2021, a persona known as “Jia Tan” (GitHub handle: JiaT75) began making technically competent, legitimate contributions to xz-utils, a fundamental compression library present in virtually all Linux distributions. For more than a year, Jia Tan contributed only genuine improvements—bug fixes, performance enhancements, real work—while building the credibility and trust of a reliable community contributor. Concurrently, a set of apparent sock puppet accounts, including “Jigar Kumar” and “krygorin4545,” began pressuring the project’s sole maintainer, Lasse Collin, with complaints about slow patch acceptance and mounting maintenance demands [5][6]. This coordinated pressure manufactured both the appearance of community need and the psychological conditions for maintainer burnout.

By 2022–2023, Collin granted Jia Tan commit access, and eventually release-signing authority—the most privileged position in an open source project’s trust chain. In February and March 2024, Jia Tan used that authority to publish xz-utils versions 5.6.0 and 5.6.1 containing an obfuscated backdoor targeting sshd via systemd. The payload was hidden not in the Git repository but in binary test files within the distributed release tarball, deliberately evading standard code review practices [5][7]. Discovery came not through any automated security tooling but through a human engineer’s observation of a 500ms SSH connection delay—a margin that could easily have gone unnoticed. Had these versions reached the stable releases of Debian, Fedora, and Ubuntu, the backdoor would have established persistent remote code execution capability across a substantial fraction of internet-facing Linux infrastructure.

The patience of the operation—approximately 28 months from first contribution to payload deployment—and the technical sophistication of hiding malicious content in release artifacts rather than source code represent a template that security researchers have since observed echoed in documented DPRK campaigns.

Security Analysis

The JADE SLEET Developer Targeting Model (2023)

GitHub’s Security Advisory issued in July 2023 documented a low-volume, high-precision social engineering campaign that Microsoft independently tracked as JADE SLEET and CISA as TraderTraitor [8][9][23]. The campaign introduced a tactic that has since become standard in DPRK’s developer-targeting playbook: compromise the individual developer’s personal machine as the entry point to their employer’s systems.

Operators constructed fake developer and recruiter personas on GitHub, LinkedIn, Slack, and Telegram—sometimes hijacking legitimate existing accounts rather than building new ones from scratch. Targets, primarily employees of cryptocurrency and blockchain firms, received invitations to collaborate on private GitHub repositories. These repositories appeared legitimate: plausible names, reasonable README files, and code that functioned as described. The malicious payload was embedded in npm package dependencies that executed automatically when the victim cloned and ran the project locally. Once the developer’s machine was compromised, attackers pivoted to employer systems, source code repositories, CI/CD pipelines, and credentials stored on the endpoint.

A structural feature of these npm packages—published in coordinated pairs from separate npm accounts, splitting malicious functionality across packages—was designed explicitly to frustrate automated detection systems that analyze individual packages in isolation. Token-based command-and-control further complicated attribution and takedown. This tradecraft has continued to develop: by 2024, similar campaigns were using coding challenge repositories distributed in fake technical interview contexts, with the DMM Bitcoin hack ($308 million, attributed by FBI to TraderTraitor) tracing directly to a malicious Python script delivered as an interview exercise to an employee of a cryptocurrency wallet vendor [4][10].

Moonstone Sleet: Fictitious Companies as Attack Infrastructure (2024)

Microsoft disclosed in May 2024 that a previously untracked DPRK-affiliated actor, Moonstone Sleet (formerly Storm-1789), had built an entirely different infrastructure layer: networks of fictitious technology companies constructed to approach developers directly through professional channels [11]. Where JADE SLEET impersonated real companies and real individuals, Moonstone Sleet invented institutions from whole cloth.

“StarGlow Ventures” and “C.C. Waterfall” were among the documented shell companies—each with a credible website, social media presence, and associated developer personas on LinkedIn, Telegram, and freelancing platforms. Targeted developers received outreach for paid consulting work or technical assessments. Deliverables arrived as .zip archives or npm packages; the latter used postinstall hooks to silently connect to actor-controlled infrastructure and deploy SplitLoader and related payloads [11]. In one campaign variant, a trojanized blockchain game (“DeTankWar”) and a modified PuTTY SSH client were used as delivery vehicles for developers offered game development contracts.

By April 2024, Microsoft observed Moonstone Sleet deploying custom ransomware—”FakePenny”—against organizations previously compromised through these developer-targeting campaigns, indicating that initial access achieved through social engineering is later monetized through multiple channels beyond cryptocurrency theft [11]. The fake company infrastructure is not merely a delivery mechanism; it is a persistent operational capability that can be retargeted against new victims as campaigns are detected and taken down.

The graphalgo Campaign: Multi-Registry Coordination at Scale (2025–2026)

Between May 2025 and early 2026, Lazarus Group-attributed operators executed one of the larger documented coordinated malicious package campaigns on record, deploying 24 packages to npm and 12 to PyPI simultaneously under a connected fake company identity [12][13]. The campaign, tracked by multiple threat intelligence teams as “graphalgo” after the most prominent package name, used “Veltrix Capital”—a fictitious blockchain trading firm—as its social engineering front. This campaign extended a pattern of DPRK npm-targeting activity documented by researchers since at least mid-2024 [21], expanding both registry coverage and operational scale.

Developers were contacted through LinkedIn, Facebook, Reddit, and professional channels with consulting or interview opportunities from Veltrix Capital. Technical assessments were delivered as packages pulling from the malicious graphalgo ecosystem. The malicious packages demonstrated a maturation in supply chain deception: bigmathutils, one of the campaign’s packages, published a clean first version to accumulate legitimate download history before a subsequent version introduced the malicious payload—exploiting the package’s established reputation to reduce scrutiny [12]. Across both registries, Sonatype analysis attributed to [13] estimated the campaign reached approximately 36,000 potential download instances before detection, with 234 unique malicious packages blocked in the first half of 2025 alone.

The coordination across npm and PyPI simultaneously is notable. The simultaneous presence across npm and PyPI suggests an intent to maximize cross-environment coverage—developers working across both JavaScript and Python stacks, common in enterprise environments where multiple languages are used in different services, faced exposure through both ecosystems.

The Axios Compromise: Proof of Concept at Global Scale (March 31, 2026)

The compromise of the axios npm package on March 31, 2026, attributed to UNC1069 (Google GTIG/Mandiant) and independently to Sapphire Sleet (Microsoft), represents the most publicly documented large-scale DPRK OSS maintainer compromise to date [1][14][15]. Axios is not a niche package—it receives over 100 million weekly downloads and is embedded as a dependency across millions of JavaScript applications worldwide. Its compromise demonstrated that the social engineering techniques DPRK developed against individual cryptocurrency developers could be successfully applied to maintainers of foundational web infrastructure.

The attack targeted Jason Saayman, axios’s primary maintainer, through a multi-step deception campaign. Threat actors constructed a fictitious company impersonating the founder of a legitimate, well-known firm, complete with professionally branded Slack workspace, active channels, and cross-posted LinkedIn content designed to establish organizational legitimacy—a presentation the maintainer described as “thought out very well” [14]. A scheduled Microsoft Teams call provided the delivery opportunity: a fabricated error message claiming an outdated system component prompted Saayman to trigger what he believed was a software update, silently deploying a remote access trojan and harvesting his npm credentials [1][14].

The subsequent payload—published in trojanized versions 1.14.1 and 0.30.4—injected a dependency on [email protected] and a postinstall hook executing an obfuscated dropper. The malware used two-layer encoding (reversed Base64 combined with XOR cipher, key OrDeR_7077) to conceal its command-and-control URL and deployed platform-specific variants targeting macOS, Windows, and Linux simultaneously [14]. From installation to full system compromise took approximately 15 seconds. During the roughly three-hour window between publication and takedown, the compromised versions were distributed to organizations across business services, financial services, high technology, higher education, and insurance sectors in the United States, Europe, the Middle East, South Asia, and Australia [1][14][20].

Attribution to UNC1069 rested on malware overlaps with previously documented WAVESHAPER variants, infrastructure analysis connecting the command-and-control server to an AstrillVPN node previously associated with UNC1069 operations, and adjacent ASN infrastructure linked to prior DPRK campaigns [14].

The IT Worker Insider Track

Parallel to external social engineering, DPRK operates a systematic insider placement program that achieves the same privileged access to codebases and publishing pipelines without requiring any deception of current maintainers. Microsoft’s June 2025 report on Jasper Sleet (formerly Storm-0287) documented an operation placing DPRK personnel inside technology companies as legitimate remote employees, providing direct access to internal source code, CI/CD pipelines, private repositories, and package publishing credentials [16].

The scale of this program is significant. GitHub banned 131 accounts linked to North Korean nation-state malware distribution in 2025 [17]. One documented DPRK developer team constructed at least 135 synthetic identities across job platforms and professional networks [17]. Microsoft suspended over 3,000 Outlook and Hotmail accounts created by DPRK IT workers in 2025 [16]. Identity construction techniques have incorporated AI tools to fabricate or enhance identity documents, generate deepfake video for job interviews, and produce convincing professional photographs—substantially lowering the barrier to persona creation at scale.

The FBI has documented that after discovery, these operatives frequently shift to extortion: copying employer GitHub repositories to personal accounts before demanding ransom, combining the intelligence-collection mission with a financial revenue stream [18]. OFAC designated additional members of this network in March 2026, citing the program’s role in generating revenue for North Korea’s weapons programs [19]. These designations may increase detection and operational burden for DPRK personas operating on sanctioned infrastructure, though the underlying operational capability—which has demonstrated resilience against prior enforcement actions—is unlikely to be disrupted.

Recommendations

Immediate Actions

Security teams should immediately audit their organizations’ direct and transitive dependency relationships for any packages involved in documented DPRK campaigns, including axios (verify pinned version integrity), all packages in the graphalgo family (npm and PyPI), and any packages distributed under the Moonstone Sleet fictitious company identities (StarGlow Ventures, C.C. Waterfall). Subresource integrity checks and lockfile verification for all npm and PyPI dependencies should be confirmed as operational. Any dependency update that changes a package.json or requirements.txt lockfile hash without an explicit, review-approved version bump warrants investigation before deployment.

Maintainers of widely-used open source packages—particularly those on npm and PyPI with significant download volumes—should review their account security posture immediately. npm account security requires hardware-based multi-factor authentication, not TOTP alone; the Axios compromise succeeded partly because credential theft via trojanized installer provided complete session access. Maintainers should audit all authorized access to their npm, PyPI, and GitHub publishing credentials, verify that no unrecognized sessions are active, and review their package postinstall hooks and dependency additions for any changes they did not personally author.

Short-Term Mitigations

Organizations should implement automated software composition analysis (SCA) in CI/CD pipelines with specific signatures for techniques documented in DPRK campaigns: postinstall hooks in npm packages that make outbound network connections, newly-introduced runtime dependencies in previously stable packages, and packages that have recently changed their publisher email or npm account association. Registry-level signals—such as the maintainer email change to a ProtonMail address that preceded the Axios payload publication—should trigger automated holds on dependency updates pending security review.

Developer security awareness programs should be updated to include the specific social engineering scenarios documented above. The fake recruiter, fake technical assessment, and fake company patterns are distinct and recognizable; developers explicitly briefed on these scenarios are better positioned to identify and report suspicious outreach before executing delivered code. Particular emphasis should be placed on the risk of running locally cloned repositories, executing scripts delivered through professional outreach, and responding to unsolicited collaboration invitations on GitHub or other platforms. The instruction “run this to test our platform” or “complete this coding challenge” arriving through any professional channel should trigger verification before execution.

Hiring and contractor onboarding processes should incorporate enhanced identity verification appropriate to the DPRK IT worker threat. Physical document verification, video interviews with camera-on requirements, cross-referencing professional history against external indicators, and attention to the technical indicators documented by GitHub and Nisos—including shared commit histories across multiple personas and AI-artifact signs in submitted documents—should be incorporated into review workflows, particularly for remote roles with access to source code or publishing credentials [16][17].

Strategic Considerations

The OSS maintainer targeting strategy represents a structural challenge to the trust model that open source software depends on. The xz-utils case demonstrated that multi-year investment in technical credibility, combined with coordinated pressure on maintainer bandwidth, can evade standard code review processes and introduce malicious artifacts into widely distributed releases. The Axios case demonstrated that even sophisticated individual maintainers are vulnerable to elaborate social engineering campaigns backed by state-level resources and preparation time. Neither case reflects a failure of individual judgment; both reflect an adversary deliberately engineering conditions that would defeat reasonable caution.

Long-term resilience requires changes at the ecosystem infrastructure level. Package registries should implement multi-party authorization requirements for new version publication, hardware token requirements for accounts above defined download thresholds, and behavioral anomaly detection that flags publisher email changes, new dependency introductions, and postinstall hook additions for high-impact packages. The Sigstore project and related efforts to cryptographically bind published artifacts to auditable build pipelines provide a technical foundation that major registries should accelerate deploying at scale.

Organizations with material dependency on open source packages should consider active participation in maintainer security support programs. The structural vulnerability in many high-impact projects—sole or small-team maintainers managing packages used by hundreds of millions of applications—creates the conditions that DPRK exploitation has repeatedly targeted. Sustained funding, security consulting, and multi-maintainer succession planning for critical dependencies reduce the single-point-of-failure risk that makes these attacks possible.

CSA Resource Alignment

MAESTRO: Agentic AI Threat Modeling

The DPRK OSS maintainer targeting threat has direct implications for organizations deploying AI coding assistants and agentic development workflows. AI coding tools that automatically suggest and install packages, execute terminal commands, and manage dependency files create a significantly elevated risk surface when their package recommendations or auto-install behaviors interact with a compromised registry. The slopsquatting phenomenon documented in the AI Developer Tool Supply Chain Attacks research note [CSA, March 2026] represents a compounding risk: DPRK actors who identify packages that AI coding assistants consistently hallucinate can pre-position malicious packages to intercept AI-generated installation commands. MAESTRO’s threat taxonomy for agentic AI systems should be extended to include supply chain poisoning as a distinct attack category against AI development environments.

STAR for AI and Software Supply Chain Risk

The CSA STAR program’s AI controls framework provides the assessment baseline for evaluating how organizations manage their OSS dependency risk. STAR assessments for AI-enabled development environments should explicitly address software composition analysis coverage, lockfile integrity verification, and the cryptographic artifact verification practices that distinguish organizations capable of detecting supply chain compromises from those that would not discover them until downstream incident response. The proposed Catastrophic Risk (CR) Annex to STAR—currently in development under the Coefficient Foundation grant—provides a natural home for escalated supply chain risk criteria reflecting state-actor capabilities.

CCM and AICM: Supply Chain Controls

Cloud Controls Matrix domains covering Supply Chain Management and Identity and Access Management are directly applicable to the maintainer compromise vector. AICM—as the superset of CCM appropriate for AI-integrated environments—should map supply chain controls specifically to package registry access, developer credential management, and CI/CD pipeline integrity requirements. The AICM control set should address multi-party authorization for package publication as a specific control requirement for organizations with material exposure to npm, PyPI, or similar registries.

Zero Trust Architecture Guidance

CSA’s Zero Trust guidance applies to the developer endpoint as a critical trust boundary. The Axios attack succeeded through credential theft from a developer’s machine via a trojanized installer—an attack that endpoint isolation, hardware-enforced browser separation, and just-in-time credential issuance for npm publish operations would have materially constrained. Zero Trust architecture implementations for development environments should treat the developer endpoint as untrusted by default, requiring explicit authorization and hardware token confirmation for any action that modifies package registry state.

References

[1] Singapore Cyber Security Agency. “Advisory: Axios Supply Chain Attack (AD-2026-002).” CSA, April 2026.

[2] CISA, FBI, U.S. Treasury. “TraderTraitor: Lazarus Group Targets Blockchain Companies (AA22-108A).” CISA, April 18, 2022.

[3] FBI, CISA, NSA, et al. “North Korea Cyber Group Conducts Global Espionage Campaign (AA24-207A).” CISA, July 25, 2024.

[4] SecurityWeek. “FBI Blames North Korea for $308M DMM Bitcoin Hack as Losses Surge in 2024.” SecurityWeek, December 2024.

[5] thesamesam (Sam James). “xz-utils backdoor situation (CVE-2024-3094).” GitHub Gist, March 2024.

[6] Lily Hay Newman. “The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind.” WIRED, April 2024.

[7] Sonatype. “CVE-2024-3094: The Targeted Backdoor Supply Chain Attack Against xz and liblzma.” Sonatype Blog, March 2024.

[8] BleepingComputer. “GitHub Warns of Lazarus Hackers Targeting Devs with Malicious Projects.” BleepingComputer, July 2023.

[9] The Record. “Cyberattack on GitHub Customers Linked to North Korean Hackers.” The Record, July 2023.

[10] The Record. “FBI Attributes Largest Crypto Hack of 2024 to TraderTraitor.” The Record, December 2024.

[11] Microsoft Threat Intelligence. “Moonstone Sleet Emerges as New North Korean Threat Actor with New Bag of Tricks.” Microsoft Security Blog, May 28, 2024.

[12] The Hacker News. “Lazarus Campaign Plants Malicious Packages in npm and PyPI.” The Hacker News, February 2026.

[13] Infosecurity Magazine. “Over 200 Malicious Open Source Packages Traced to Lazarus Campaign.” Infosecurity Magazine, 2025–2026.

[14] Google Cloud / Mandiant. “North Korea-Nexus Threat Actor Compromises Axios npm Package.” Google Cloud Blog, April 2026.

[15] Microsoft Security Blog. “Mitigating the Axios npm Supply Chain Compromise.” Microsoft, April 1, 2026.

[16] Microsoft Threat Intelligence. “Jasper Sleet: North Korean Remote IT Workers’ Evolving Tactics to Infiltrate Organizations.” Microsoft Security Blog, June 30, 2025.

[17] Nisos. “DPRK IT Fraud Network Uses GitHub to Target Global Companies.” Nisos Research, 2025.

[18] FBI/IC3. “PSA250123: North Korean IT Workers Conducting Data Extortion Following Employment.” Internet Crime Complaint Center, January 23, 2025.

[19] The Hacker News. “OFAC Sanctions DPRK IT Worker Network.” The Hacker News, March 2026.

[20] Palo Alto Unit 42. “Threat Brief: Axios Supply Chain Attack.” Palo Alto Networks, April 2026.

[21] Datadog Security Labs. “Stressed Pungsan: DPRK-Aligned Threat Actor Leverages npm for Initial Access.” Datadog, 2024.

[22] Wiz. “North Korean TraderTraitor: Crypto Heist Deep Dive.” Wiz, July 2025.

[23] Google Cloud / Mandiant. “North Korea Leverages SaaS Provider in Targeted Supply Chain Attack.” Google Cloud Blog, July 2023.

[24] CISA. “North Korea State-Sponsored Cyber Threat Publications Index.” CISA (continuously updated).

[25] Chainalysis. “2025 Crypto Crime Report.” Chainalysis, 2025.