North Korea’s hijacking of one of the most widely used open source projects on the web was likely weeks in the making

North Korea’s cyberattack last Monday, which briefly hijacked one of the most widely used open source projects on the web, took weeks to execute as part of a long-running campaign to target senior code developers.

The March 31 hijacking of Project Axios was successful in part because it relied on well-resourced hackers to build rapport and trust with their intended target over a long period of time to increase the odds of a successful final settlement. This type of hack highlights the security challenges that developers of popular open source projects can face, at a time when government hackers and cybercriminals alike target widely used projects for their ability to access, in some cases, millions of devices around the world.

Jason Sayman, who runs the popular Axios project that developers use to connect their applications to the Internet, provided an autopsy that included a timeline of the hack. He noted that the hackers began their targeting campaign about two weeks before they eventually took control of his computer to spit out the malicious code.

Posing as a real company, creating a realistic-looking Slack workspace, and using fake profiles for its employees to build credibility, Saeman said the suspected North Korean hackers then invited him to an online meeting that prompted him to download malware disguised as an update necessary to access the call. The lure mimics a technique used by North Korean hackers that tricks potential victims into giving hackers remote access to their system, often to steal their cryptocurrencies, Saeman said.

Saiman said that this attack mimics previous hacks attributed to North Korea by security researchers at Google.

After compromising Saayman’s computer and gaining remote access, the hackers then released malicious updates to Project Axios.

The two Axios malware packages, which were pulled about three hours after they were first published on March 31, may have infected thousands of systems during that period, though the full scope of the mass hack is not yet entirely clear. Any computer that installed a malicious version of the software during this time may have allowed hackers to steal their private keys, credentials, and passwords from that computer, potentially leading to further breaches.

Sayman did not immediately respond to an email containing questions about the incident.

North Korean hackers remain one of the most active cyber threats on the internet today, blamed for stealing at least $2 billion worth of cryptocurrencies in 2025 alone.

Kim Jong Un’s regime remains under international sanctions and banned from the global financial network for violating a ban on its nuclear weapons development program, which the country largely finances by launching cyberattacks and stealing cryptocurrencies.

North Korea is believed to have thousands of highly organized hackers, most of whom operate against their will under the repressive Kim regime. These hackers spend weeks or months carrying out complex social engineering attacks aimed at gaining trust and eventually stealing cryptocurrencies and data to blackmail their victims.