North Korean Hackers Used AI Deepfakes to Compromise Axios NPM Package

This is the supply chain attack that the security community has been warning about, except now the social engineering layer runs on AI. The attackers did not find a zero-day. They did not brute-force credentials. They cloned a founder's face and voice, built a convincing Slack workspace, and got a human to trust them. Three hours was enough to hit 3% of cloud environments. That math is terrifying. For anyone vibe-coding a production app and running `npm install` without thinking twice: this is your wake-up call. The speed at which AI lets you build is the same speed at which AI lets attackers operate. Every dependency you pull in is a trust decision, and most of us are making hundreds of those decisions on autopilot. The real shift here is that social engineering now scales. A deepfake meeting with a single maintainer can compromise millions of downstream applications. The open-source trust model was built for a world where attacks required human effort per target. That world is gone.