http://simonwillison.net/2026-04-03T13:54:53+00:00Simon Willison2026-04-03T13:54:53+00:002026-04-03T13:54:53+00:00https://simonwillison.net/2026/Apr/3/supply-chain-social-engineering/#atom-tag

<p>The Axios team have published a <a href="https://github.com/axios/axios/issues/10636">full postmortem</a> on the supply chain attack which resulted in a malware dependency going out <a href="https://simonwillison.net/2026/Mar/31/supply-chain-attack-on-axios/">in a release the other day</a>, and it involved a sophisticated social engineering campaign targeting one of their maintainers directly. Here's Jason Saayman'a description of <a href="https://github.com/axios/axios/issues/10636#issuecomment-4180237789">how that worked</a>:</p> <blockquote> <p>so the attack vector mimics what google has documented here: <a href="https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering">https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering</a></p> <p>they tailored this process specifically to me by doing the following:</p> <ul> <li>they reached out masquerading as the founder of a company they had cloned the companys founders likeness as well as the company itself.</li> <li>they then invited me to a real slack workspace. this workspace was branded to the companies ci and named in a plausible manner. the slack was thought out very well, they had channels where they were sharing linked-in posts, the linked in posts i presume just went to the real companys account but it was super convincing etc. they even had what i presume were fake profiles of the team of the company but also number of other oss maintainers.</li> <li>they scheduled a meeting with me to connect. the meeting was on ms teams. the meeting had what seemed to be a group of people that were involved.</li> <li>the meeting said something on my system was out of date. i installed the missing item as i presumed it was something to do with teams, and this was the RAT.</li> <li>everything was extremely well co-ordinated looked legit and was done in a professional manner.</li> </ul> </blockquote> <p>A RAT is a Remote Access Trojan - this was the software which stole the developer's credentials which could then be used to publish the malicious package.</p> <p>That's a <em>very effective</em> scam. I join a lot of meetings where I find myself needing to install Webex or Microsoft Teams or similar at the last moment and the time constraint means I always click "yes" to things as quickly as possible to make sure I don't join late.</p> <p>Every maintainer of open source software used by enough people to be worth taking in this way needs to be familiar with this attack strategy.</p> <p>Tags: <a href="https://simonwillison.net/tags/open-source">open-source</a>, <a href="https://simonwillison.net/tags/packaging">packaging</a>, <a href="https://simonwillison.net/tags/security">security</a>, <a href="https://simonwillison.net/tags/social-engineering">social-engineering</a>, <a href="https://simonwillison.net/tags/supply-chain">supply-chain</a></p>

2008-07-08T10:10:25+00:002008-07-08T10:10:25+00:00https://simonwillison.net/2008/Jul/8/apple/#atom-tag

<p><strong><a href="http://blog.karppinen.fi/2008/07/apple-just-gave-out-my-apple-i.html">Apple just gave out my Apple ID password because someone asked</a></strong></p> “am forget my password of mac,did you give me password on new email marko.[redacted] @yahoo.com”. Classy. <p>Tags: <a href="https://simonwillison.net/tags/apple">apple</a>, <a href="https://simonwillison.net/tags/security">security</a>, <a href="https://simonwillison.net/tags/social-engineering">social-engineering</a></p>

2005-11-09T20:52:12+00:002005-11-09T20:52:12+00:00https://simonwillison.net/2005/Nov/9/orange/#atom-tag

<p id="p-0">I had a call on my mobile earlier today from a lady claiming to be from <a href="http://www.orange.co.uk/">Orange</a> (my phone service provider) who told me that my contract was about to expire. She asked me for my password.</p> <p id="p-1">Alarm bells instantly went off in my head, so I told her (truthfully as it happens) that I didn't know my password. Then she asked for my postcode instead.</p> <p id="p-2">At this point I was pretty sure this was a social engineering attack, so I started to quiz her about why she needed the information. She said it was for a "security check". I told her I was uncomfortable giving out information like this to a cold caller over the phone and she said it was nothing to worry about because it was all covered by "the data protection act".</p> <p id="p-3">I said that I would rather conduct my business in an Orange shop, and she told me that she would have to put a mark on my record that I had failed a security check. I interpreted this as a threat, which convinced me that the call was an attempted con. I asked for her name and ended the call.</p> <p id="p-4">I e-mailed Orange customer support via <a href="http://www.orange.co.uk/contact/" title="Orange Customer Service">their website</a> with details of the call and the number it came from (07973 100 194, which looked like a mobile number to me and had further fuelled my suspicions). I just received their reply - the call really was from them!</p> <p id="p-5">Banks and other online services have learnt to repeatedly tell their customers that they will <em>never</em> contact them and ask for their password. Orange are leaving themselves wide open to <a href="http://en.wikipedia.org/wiki/Social_engineering_%28computer_security%29">social engineering</a> attacks. This incredible lack of attention to basic security has given me serious second thoughts about trusting them with my business at all.</p> <p>Tags: <a href="https://simonwillison.net/tags/orange">orange</a>, <a href="https://simonwillison.net/tags/security">security</a>, <a href="https://simonwillison.net/tags/social-engineering">social-engineering</a></p>