UNC1069 Targets Node.js Maintainers via Fake LinkedIn, Slack Profiles

North Korean group UNC1069 targets Node.js maintainers using fake LinkedIn and Slack profiles to spread malware and compromise open source packages.

A coordinated group of hackers is currently targeting Open Source Maintainers, particularly those managing Node.js and npm, following a high-profile attack on the popular Axios npm package.

Security experts at Socket investigated these attacks, identifying that hackers are using social engineering techniques to initiate contact through LinkedIn or Slack, posing as recruiters or podcast hosts under fake company profiles and using fake meeting sites that look exactly like Microsoft Teams or Zoom.

How the Trick Works

According to Socket’s research, these scammers are very patient, as they spend weeks building rapport before sending the suspicious link. For example, on 5 March 2026, a developer named Jean Burellier was contacted on LinkedIn by someone posing as a representative of Openfort, and wasn’t invited to a call ...