How North Korea's Fake Company Compromised Millions | 2 Minute Drill with Drex DeFord

Hey everyone, I'm Drex, and this is The Two Minute Drill. It's great to see everyone today. Here's some stuff you might wanna know about. Jason Seaman isn't a household name, but there's a good chance that software he's maintaining is running right now in your health system. He's the lead maintainer of Axios, a JavaScript library downloaded more than 100 million times a week by developers around the world. Axios handles the way applications send and receive data over the internet. It's in web portals and, uh, all kinds of patient applications and administrative tools. It's the kind of invisible plumbing that makes modern software work. And in early 2026, Jason got what looked like a job offer. A company wanted to connect. There was a Slack workspace to join. It was professionally branded. It had realistic channels with team members and LinkedIn profiles and active conversations. It was the kind of a digital paper trail that signals legitimacy. And Jason joined the workspace, and he talked to the people, and things progressed. And then came an invitation to a Microsoft Teams call. And on that call, with what appeared to be a real colleague on the screen, someone mentioned that Jason's system needed an update before they could continue, and a file was shared, and he installed it. It was a remote access Trojan deployed by UNC1069, a North Korean threat actor group that has been running financially motivated cyber attacks since 2018. UNC1069 had spent two weeks building the operation, the fake company, the fake Slack, the fake team, all of it to get one developer to install one file. And within hours, malicious versions of Axios were live on npm, the repository where developers download software packages. Two compromised releases pushed under Jason's legitimate account. Any developer who updated the library during that window pulled down malware, and researchers tracked at least 135 endpoints making contact with the attacker's infrastructure in a three-hour exposure window. And this turns out to be a very important part of the story. Jason had two-factor authentication enabled, but it didn't help because the attack was never technical. There was no exploit against his authentication system. North Korea built a fake company and spent two weeks earning Jason's trust, and then they asked him to click. And the industry moved fast. The compromised versions were pulled. Detections were built. The immediate crisis was contained. But the lesson isn't about the response, although again, great response. Th-the lesson is about the setup UNC1069 chose Jason because of what he had access to, a single trusted account that could push code to software running across the entire internet. They didn't attack a corporation with a security operations center and a $50 million budget. They attacked one person doing his job. Now think about who in your organization carries that kind of leverage. The IT administrator who manages vendor access, or the developer that maintains your patient portal integrations, or the contractor with credentials that touch three or four different clinical systems. These are the people where an attacker only needs to build trust, not break through a firewall. North Korea spent two weeks on one developer because the math made sense. One person, one click, 100 million weekly downloads. Your environment has people like that too. The question is whether anyone has mapped who they are and what they hold access to, and whether your security posture is pointed at those right targets. Drop me a note and let me know what you're working on. I'm always happy to hear from you. I'm drex@229project.com. Thanks for being here. Stay a little paranoid, and I will see you around campus