=== HEADLINE_SHORT ===
1 Dev, 100M Downloads, North Korea Won

=== SHORT_SCRIPT ===
North Korea built an entire fake company, complete with a branded Slack workspace and cloned executive profiles, just to deceive one developer into handing over his npm credentials. That developer maintained a package downloaded 100 MILLION times a week.

His name is Jason Saayman, and he is the SOLE maintainer of Axios, the JavaScript HTTP client that a huge portion of the web depends on. The attackers, tracked as UNC1069, held his account for 3 hours and published two malicious Axios versions. Both contained a hidden backdoor called WAVESHAPER.V2, designed to exfiltrate data from any machine that installed the package. In those 3 hours, a GitHub Actions pipeline at OpenAI pulled in the poisoned version. That pipeline signed ChatGPT Desktop, Codex, Codex CLI, and Atlas. OpenAI is revoking the exposed certificate May 8. Update your Mac apps before that date or they stop running.

The attacker did not hack OpenAI. They hacked ONE developer with no security team, no hardware MFA requirement, and no backup. That is the real story. Stay sharp.