The Axios supply chain attack used individually targeted social engineering

simonwillison.net · cmitsakis · 2 days ago · view on HN · news
quality 7/10 · good
0 net
Tags
google malware microsoft supply-chain
The Axios supply chain attack used individually targeted social engineering Simon Willison’s Weblog Subscribe Sponsored by: WorkOS — Production-ready APIs for auth and access control, so you can ship faster. The Axios supply chain attack used individually targeted social engineering 3rd April 2026 The Axios team have published a full postmortem on the supply chain attack which resulted in a malware dependency going out in a release the other day , and it involved a sophisticated social engineering campaign targeting one of their maintainers directly. Here’s Jason Saayman’a description of how that worked : so the attack vector mimics what google has documented here: https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering they tailored this process specifically to me by doing the following: they reached out masquerading as the founder of a company they had cloned the companys founders likeness as well as the company itself. they then invited me to a real slack workspace. this workspace was branded to the companies ci and named in a plausible manner. the slack was thought out very well, they had channels where they were sharing linked-in posts, the linked in posts i presume just went to the real companys account but it was super convincing etc. they even had what i presume were fake profiles of the team of the company but also number of other oss maintainers. they scheduled a meeting with me to connect. the meeting was on ms teams. the meeting had what seemed to be a group of people that were involved. the meeting said something on my system was out of date. i installed the missing item as i presumed it was something to do with teams, and this was the RAT. everything was extremely well co-ordinated looked legit and was done in a professional manner. A RAT is a Remote Access Trojan—this was the software which stole the developer’s credentials which could then be used to publish the malicious package. That’s a very effective scam. I join a lot of meetings where I find myself needing to install Webex or Microsoft Teams or similar at the last moment and the time constraint means I always click “yes” to things as quickly as possible to make sure I don’t join late. Every maintainer of open source software used by enough people to be worth taking in this way needs to be familiar with this attack strategy. Posted 3rd April 2026 at 1:54 pm · Follow me on Mastodon , Bluesky , Twitter or subscribe to my newsletter More recent articles Highlights from my conversation about agentic engineering on Lenny's Podcast - 2nd April 2026 Mr. Chatterbox is a (weak) Victorian-era ethically trained model you can run on your own computer - 30th March 2026 This is The Axios supply chain attack used individually targeted social engineering by Simon Willison, posted on 3rd April 2026 . open-source 300 packaging 47 security 594 social-engineering 3 supply-chain 17 Previous: Highlights from my conversation about agentic engineering on Lenny's Podcast Monthly briefing Sponsor me for $10/month and get a curated email digest of the month's most important LLM developments. Pay me to send you less! Sponsor & subscribe Disclosures Colophon © 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026
← Back to stories