High-impact Node.js and npm maintainers reported being targeted by the same social engineering campaign that led to the Axios npm compromise, indicating a coordinated effort against trusted open-source maintainers rather than a one-off incident. The playbook used credible business outreach, Slack or LinkedIn contact, fake meeting infrastructure, spoofed Microsoft Teams or streaming platforms, and prompts to install software or run terminal commands. Security researcher Tay connected the activity to DPRK-nexus UNC1069, noting that the fake meeting flow can install a RAT capable of persistence, system profiling, credential and token theft, browser session access, and command-and-control check-ins. The campaign matters because a single compromised maintainer machine can bypass 2FA and publishing hygiene, enabling malicious npm releases that propagate quickly through automated dependency resolution.