Axios was not a one-off: UNC1069 used an 'Openfort' persona to target maintainers tied to Fastify, Lodash, and dotenv
Contents
In the previous article, I focused on how axios maintainer Jason Saayman was lured into a fake Slack workspace and then a fake Teams meeting that delivered a RAT. The public reports that surfaced after April 3 make the picture much bigger. Axios was probably not a one-off target. It looks like part of a broader campaign aimed at high-impact Node.js maintainers.
The key distinction is between a confirmed compromise and a confirmed targeting attempt. Based on public sources as of April 5, 2026, Jason’s axios case is still the only publicly confirmed compromise that led to a malicious npm publish. But the list of maintainers who say they were targeted by the same pattern has grown quickly.
Publicly Confirmed Targets
Here is the clearest public picture so far.
| Target | Main projects / role | Public source | Lure | Outcome |
|---|---|---|---|---|
| Jason Saayman | axios lead maintainer | axios postmortem issue | impersonated company founder -> fake Slack -> fake Teams meeting -> fake “update” | Compromised; axios 1.14.1 / 0.30.4 published |
Pelle Wessman (voxpelli) | Mocha, neostandard, npm-run-all2, type-fest | his comment on the axios issue | fake podcast booking -> spoofed streaming site -> unsigned macOS app / curl request | Refused and escaped |
| Jean Burellier | Node.js core collaborator, Express contributor | Socket report | LinkedIn message from an Openfort persona -> Slack -> teams.onlivemeet.com -> update prompt | Refused and escaped |
| Matteo Collina | Fastify, Pino, Undici, Node.js TSC Chair | Socket report | apparently legitimate Slack outreach -> software install request | Escaped |
| Scott Motte | creator of dotenv | Socket report | contacted through the same Openfort persona | Targeting confirmed |
| Ulises Gascón | Node.js core collaborator / releaser, Express TC, Lodash TSC | Socket report | same campaign family | Targeting confirmed |
| Wes Todd | Express TC, Node Package Maintenance WG | Socket report | same campaign family | Targeting confirmed |
| Jordan Harband | TC39 member, maintainer of ECMAScript polyfills and shims | Socket report | same campaign family | Targeting confirmed |
| John-David Dalton | creator of Lodash | Socket report | same campaign family | Targeting confirmed |
| Feross Aboukhadijeh and Socket engineers | WebTorrent, StandardJS, buffer, others | feross’s comment, Socket report | same campaign family | Targeting confirmed |
So the story is not “all famous packages were already compromised.” The more accurate reading is that a wide set of famous maintainers were already in the crosshairs, and axios was the first major visible success.
The Shared Playbook
The Jason, Pelle, and Jean cases are detailed enough to show the common structure.
graph TD
A["Initial contact over LinkedIn / Slack<br/>posing as a real company or event"] --> B["Build trust over days or weeks<br/>and simulate other participants"]
B --> C["Send the meeting link right before the call<br/>to a spoofed Teams / streaming page"]
C --> D["Show an audio, connection, or update problem"]
D --> E["Push the target to install an app<br/>or run a curl / script command"]
E --> F["Drop a RAT or infostealer"]
F --> G["Steal npm tokens, browser sessions,<br/>and other secrets from the device"]
G --> H["Use the maintainer's trust position<br/>for a supply-chain attack"]Jason explained in his issue comment that the attackers built a convincing fake company Slack workspace, complete with realistic branding and fake profiles for team members and other OSS maintainers. Pelle described a fake podcast setup with supposed co-guests and prep material. Jean’s case, as reported by Socket, started with a LinkedIn approach on March 5, moved into Slack workspaces, and culminated on March 27 with a link sent only five minutes before the meeting. That link appeared to be Microsoft Teams but redirected to teams.onlivemeet.com.
This lines up closely with the official threat intelligence already on record. In its February 10, 2026 report, Google Mandiant described UNC1069 using fake Zoom meetings and ClickFix-style troubleshooting. In its November 22, 2024 write-up, Microsoft described Sapphire Sleet using fake investment or recruiting conversations and then sending .scpt or .vbs files as “connection fixes.”
Why the Reused “Openfort” Persona Matters
One of the strongest signs of coordination in this follow-up is that Socket reported the same “Openfort” persona being used against both Jean Burellier and Jason Saayman. That suggests a reusable campaign asset, not just random ad hoc phishing.
The target set also spans very different parts of the ecosystem:
- HTTP clients: axios, Undici
- frameworks and platform infrastructure: Fastify, Express
- utility packages: Lodash, dotenv
- testing and quality tooling: Mocha, neostandard
- ecosystem governance and release roles: Node.js core collaborators, releasers, and TSC members
That is not a random spray. It looks much more like an attempt to map the human trust graph of the Node.js ecosystem and look for the highest-leverage path in.
This Is a Crypto Playbook Repointed at Open Source
The method itself did not start with open source. Mandiant’s February 2026 report says UNC1069 had already been using fake meeting infrastructure and AI-assisted social engineering against cryptocurrency firms, software developers, and venture capital targets. Microsoft’s earlier Sapphire Sleet reporting describes essentially the same pattern: initiate contact through LinkedIn, stage a meeting, create a fake technical problem, and then get the victim to run something.
What changed after axios is the target class. Instead of using the compromise to drain wallets, the attacker can use the same endpoint takeover to steal publish authority over npm packages. From the attacker’s perspective, that is a much higher-leverage route.
Microsoft’s April 1, 2026 Axios analysis explicitly attributes the npm compromise to Sapphire Sleet. Google tracks the overlapping activity as UNC1069. The naming differs, but the operational idea is the same: compromise the developer’s device first, then use the already-authenticated state to move into the software supply chain.
The Real Risk Is Simultaneous Targeting
This is where the reporting needs precision. There is no public evidence, as of April 5, 2026, that Fastify, Lodash, or dotenv were successfully compromised in the same way axios was. Writing that would overshoot the evidence.
But the more important fact may be that the actor does not need many successes. A single success against a maintainer tied to packages like Lodash, dotenv, Fastify, or Undici would have enormous downstream impact. The public cases show that the attacker already understands where those trust chokepoints are.
OIDC publishing, provenance, and npm 2FA are still necessary, but Jason’s case already showed they are not sufficient once the maintainer’s daily-use machine is under remote control. Software TOTP, browser sessions, saved tokens, and shell history all collapse together when the endpoint itself is lost.
The practical baseline looks more like this:
- never install software or run scripts because a meeting claims your audio or connection is broken
- separate meeting devices from release-capable devices
- prefer hardware keys for npm publish authorization
- assume consumer-side controls such as
minimumReleaseAgeand provenance verification are still necessary because registries do not fully enforce OIDC-only publishing
Conclusion
Axios now looks like the first visible break in a much broader campaign. The follow-up reporting suggests UNC1069 / Sapphire Sleet was already probing maintainers tied to Fastify, Lodash, dotenv, Mocha, Express, and Node.js core roles.
The takeaway is not that all of those projects were already compromised. The takeaway is that the attacker has already moved close enough to those trust anchors that the next success could land almost anywhere in the Node.js ecosystem.