Social engineering attacks on open source developers are escalating

Staff Editor 2026-04-08
Social engineering attacks on open source developers are escalating

Social engineering attacks on open source developers are escalating

https://www.helpnetsecurity.com/2026/04/08/social-engineering-open-source-developers/

Publish Date: 2026-04-08 08:26:00

Source Domain: www.helpnetsecurity.com

North Korean hackers spent weeks socially engineering an Axios maintainer through a fake Slack workspace, a cloned company identity, and a fabricated Microsoft Teams call that tricked him into installing a RAT posings as a software update. They used the access they gained to inject malware into npm packages downloaded 100+ million times a week.

Now, a fresh Open Source Security Foundation (OpenSSF) advisory warns unknown attackers are using a similar approach to target other open source developers.

The Axios attack was not isolated

In the wake of the high-profile Axios compromise, Socket researchers learned that the same attack campaign targeted many other open source maintainers – particularly those managing Node.js and npm – as well as several Socket engineers.

The attackers reach out via LinkedIn or Slack, posing as company owners/representatives, job recruiters, or podcast hosts, and tried to lure developers into downloading malware masquerading as a videoconferencing software update / fix.

“The attackers used a spoofed Streamyard platform to trick Pelle Wessman, a maintainer of Mocha, into downloading a virus. Another expert, Matteo Collina, nearly fell for a Slack message on 2 April, while others like Scott Motte (creator of dotenv) and John-David Dalton (creator of Lodash) were also targeted,” Socket’s Deeba Ahmed shared.

“They even went after Socket CEO Feross Aboukhadijeh, the creator of WebTorrent and buffer, who noted that this type of targeting is becoming the ‘new normal.’”

Now someone is impersonating a Linux Foundation leader

Christopher Robinson, OpenSSF’s Chief Technology Officer and Chief Security Architect, warns that attackers are currently also impersonating a well-known Linux Foundation community leader and attempting to lure the victim into following a malicious link.

“The community has received reports of an active social engineering campaign targeting open source developers via Slack (including ToDoGroup…

Source

More Stories

Yay 12.6 AUR Helper Lands After Six Months with Smarter Search

Yay 12.6 AUR Helper Lands After Six Months with Smarter Search

Staff Editor 2026-06-07
Developer Turns Azure Linux 4 Into Bootable Desktop-App

Developer Turns Azure Linux 4 Into Bootable Desktop-App

Staff Editor 2026-06-07
CISA Flags Actively Exploited Linux Kernel Vulnerability

CISA Flags Actively Exploited Linux Kernel Vulnerability

Staff Editor 2026-06-07

Terms and Conditions - Privacy Policy