Axios just got f**ked

The PrimeTime| 00:07:36|Apr 9, 2026

Chapters5

Explains how Axios was compromised by releasing a malicious update that included a credential-stealing library.

Axios got pwned by a clever social-engineering attack, using fake Slack/Teams workspaces and a Trojanized update to steal credentials.

Summary

The PrimeTime’s recap dives into the Axios hack that erupted on March 31, when an attacker compromised Jason and pushed malicious updates (1.14.1 and 030.4) containing a rogue library called plain crypto.js. Fireship’s take anchors the drama with a sharp quip about the “non-consensual backdoor penetration” masquerading as developer experience. The story unfolds through a staged, highly convincing setup: cloned company branding, fake founders, and a branded Slack workspace filled with fake profiles and OSS maintainers, plus a scheduled Teams meeting that triggered the payload. Victims were urged to install a supposedly missing item, which turned out to be a remote access Trojan (RAT) giving attackers full control over the machine. The attacker’s playbook emphasizes slow, persuasive engagement—re-scheduling meetings weeks out and cultivating trust before triggering the compromise. Analysts note this mirrors North Korean threat actors’ AI-assisted social engineering patterns (as highlighted by Google’s UNCC 1069 work) that blur the line between legitimate and malicious interfaces. The segment closes with a light jab at Victor’s reactions and a plug for boot.dev, tying the tech story back to practical, upskilling advice for developers. Overall, the video blends humor with a concrete breakdown of how multi-layered social engineering can turn a “nice-to-have” feature into a catastrophic backdoor in just a few hours.

Key Takeaways

Malicious Axios updates 1.14.1 and 030.4 contained a new library plain crypto.js that exfiltrated credentials and gave attackers control.
}, {
,
}],
target_audience":"Essential viewing for developers and security teams who deploy or rely on open-source packages, especially those who want to understand real-world social engineering risks.",
topics":[

Notable Quotes

"That improved developer experience just turned into non-consensual backdoor penetration by a magnumsized Trojan."

—Fireship’s famous one-liner sets the tone for the detailed breakdown that follows.

"The malicious versions were alive for about 3 hours and you should go through and make sure you don't actually have these just in case."

—Immediate actionable warning about the timeframe attackers operated.

"They scheduled a meeting with me to connect. The meeting was on Microsoft Teams."

—Key red flag example used to illustrate how the attack leveraged legitimate tools.

"This workspace was branded to the company's CI and named in a plausible manner."

—Shows how authentic-looking environments aid social-engineering success.

Questions This Video Answers

How did the Axios hack use fake company branding and impersonation to deceive victims?

Axios hackSocial engineeringRATRemote access TrojanNorth Korea cyber threatsAI-enabled phishingMicrosoft TeamsSlackOpen-source supply chain riskplain-crypto.js

Full Transcript

Hey, how would you like to join a team's call and then by joining the team's call you get hacked by North Korea? Well, that's what happened with Axios. It would be kind of strange if you haven't heard about the Axios hack because even the legend himself, the modern-day poet, the real minstrel among us all, Fireship did release a video and I think he summed up the Axios hack best with the following. That improved developer experience just turned into non-consensual backdoor penetration by a magnumsized Trojan. That man does not mince words. Before I tell you exactly how Axios was hacked, let's just go over a quick couple details for those that aren't in the know. On March 31st, Axios was hacked. Effectively, what happened is that Jason ended up getting compromised. And then by being compromised, Axios published two new versions, 1.14.1 and 030.4, in which involved a new library called plain crypto.js, JS which just wraps crypto but instead steals all the credentials and does every you know just completely takes advantage of your computer. The malicious versions were alive for about 3 hours and you should go through and make sure you don't actually have these just in case. If I were you, I'd probably just roll all my credentials everywhere, reset everything if you happen to be hit in this. Also kind of strange just throwing this out there as I was reviewing the summary. Uh right here, Victor just didn't like Jason telling everybody about what happened and how to fix things. Oh, Victor, that's kind of strange, don't you think, V? V V V V V V V V V V V V V V V V V V V Victor, why why you dislike him that? Well, yesterday Jason actually gave an update on the situation and gave us the real details of what exactly happened to him. First, they reached out masquerading as a founder of a company. They had cloned the company's founders likeness as well as the company itself. Second, they invited me to a real Slack workspace. This workspace was branded to the company's CI and named in a plausible manner. The Slack was well thought out. They had channels where they were sharing LinkedIn posts. Yes. I love that. It's like, yo, how do you know it's a real company? Oh, there's a channel dedicated to sharing LinkedIn posts. [laughter] I guess honestly, I don't think I've been a part of a real company then. Because that sounds horrible. If I went into somebody's Slack and they're like, "Oh, yeah, that's where we discuss the the the happenings of that very well-known and very wellrespected network, LinkedIn." I' like, "Brother, I don't think I belong here. this this isn't for me. Whatever's happening here. They even had what I presumed were fake profiles of the team of the company, but also a number of OSS maintainers. So, they just kind of set up this very elaborate environment for this one individual person to be had. They scheduled a meeting with me to connect. The meeting was on Microsoft Teams. That should be a red flag. Okay. I don't know what's going on, but but meeting on Microsoft Teams, like I wouldn't even write on the internet that I joined a Microsoft Teams phone call. Okay. I would keep that to myself. I would hide that little piece of knowledge. The meeting had what seemed to be a group of people that were involved. The meeting said something on my system was out of date. I installed the missing item as I presumed it was something to do with Teams, and it was the RAT. For those that don't know what a RAD is, a RAT stands for remote access Trojans, or sometimes remote administration tool. It is a type of malicious software that allows hackers to gain unauthorized hidden remote control over a target computer or device. In other words, they can see everything you do. They have access to every single file you create and they're able to put anything they want or make your computer do any action. To be completely fair here, I, you know, shameful enough as it sounds, if I ended up joining a Microsoft Teams call and then it was like, "Hey, something's out of date. You need to install a new driver." The chance of me being had it could go it could go up. It could definitely go up. The thing that makes this so difficult is that if you actually go and look at some of the screenshots, it looks just like Microsoft Teams or it looks just like Zoom. And if you look at the web browser, if you're not even careful enough, that looks just like a Zoom link. If you're not familiar with a Zoom link, they typically look like something like this. There's some sort of region. Zoom US and then an ID right afterwards. Whereas this one right here is that kind of same region except for there's just no dot right here. So, if you're just not even looking at like it's a very simple mistake to realize you're not even on Zoom. The team one seems a little bit more obvious though. Microcell, like there's definitely something going on right there that that that that doesn't that doesn't look real. I feel like I would not be had by this one again. Victor, you down you downvoted again. Hey, Victor. Hey, V. Hey, Victor. Where were you on the evening of the infamous Teams call? Just a Hey, I'm just asking questions here. Even the person that provided the screenshots right here, Victor also downloaded it. Strange, huh? What is going on, Victor? All of this just goes to show how easy it is to be had. Okay, I assume that JSON probably knows a thing or two about tech. Probably doesn't get had by those simple text messages that like, "Oh, your UPS package is late, bro. Hey, why don't you just click this link?" Right? It takes a little bit more. I think I could have been easily fooled by having something that feels so set up, right? You go to a Slack. There's multiple people there. It has the company branding. It even has a LinkedIn section, very unhinged as it is. It has other oss maintainers. People are yapping. Oh my gosh. Hey, we have a meeting. Which is also strange because one of the things apparently they do during this meeting is that instead of just like, hey, you should join this meeting. Hey, you should join this meeting. They they give you they play it hard to get. Apparently, they'll schedule the call for like a week out and then they'll reschedu it for another week being like, "Oh, hey, we can't do it right now. Could you do it even next week?" They really just slow roll you. They age you like a fine bottle of wine. It's insane because 2 to 3 weeks you think that they would be worried about getting caught that you would kind of notice something's wrong with the Slack, but no, they let it go nice and slow because they really want to build up that rapport that what you're about to join is completely and absolutely above board which apparently with other people they actually like step through and give them other instructions on how to potentially fix their problem and then at some point be like here try this install script and then that and then bam they get had. And this exact style of getting hacked apparently is identical effectively to this right here. The UNCC 1069 targets cryptocurrency sector with new tooling and AI enabled social engineering. This was just released a couple months ago by Google. Apparently what it is is North Korean threat actors and they're just using more and more sophisticated technology and the power of AI to be able to dupe people. And they will often use something that looks like this. Like again this looks just like the Zoom meeting. They just flip around the credentials, right? So it's like us5 web US us and then have the zoom on the other side and just make it so believable and then the CSS is so well done. Hey, good job AI. That's why that's the power of AI being able to clone out a UI. So that's that's what happened with Axio. So poor one out for Jason. And also Victor Vic. Hey yo, Victor feel like we got to know why you're so upset at everything. Okay. What's what's going on? What what what are you hiding? Do you also happen to know of a nice Microsoft Teams link that I should join? Do you have a Slack organization that would be something that I could end up joining? I'm on to you, Victor. The name is the Primagen. Hey, do you want to learn how to code? Do you want to become a better back-end engineer? Well, you got to check out boot.dev. Now, I personally have made a couple courses from them. I have live walkthroughs free available on YouTube of the whole course. Everything on boot.dev you can go through for free. But if you want the gamified experience, the tracking of your learning and all that, then you got to pay up the money. But hey, go check them out. It's awesome. Many content creators you know and you like make courses there. boot.dev/prime for 25% off.