Cybersecurity incidents are no longer just about systems—they’re targeting the very people who build, maintain, and secure them.

Written by our former VP of Product Mark Hamill, this blog explores why traditional awareness training isn’t enough to protect against the modern day threat and why the long-con style of attack is becoming a critical concern for organisations everywhere.

You’ve been talking to this person for two weeks.

The first message came via LinkedIn; a founder you recognised from a company in your sector. A thoughtful message, no hard sell. He invited you into their Slack workspace to take a look at something they were building. The workspace was active – colleagues were posting updates, sharing articles and adding a few jokes in the general channel. Everything looked exactly as it should.

The calls were fine. One got rescheduled – things come up – but the conversations were interesting, he clearly knew the industry. By the third week, you’d started to think of him as a contact worth keeping.

Then the Teams call dropped due to a small technical issue, something wasn’t loading on his end, a connection problem, a file that needed updating. He sent you a link. “Can you just install this fix? This happens all the time.”

You installed it.

That’s what happened to Jason Saayman, lead maintainer of Axios, one of the most widely used JavaScript libraries in the world with over 100 million downloads a week.

On 31 March 2026, two backdoored versions of Axios were published to the public code repository under his account.

The breach didn’t start with a suspicious email, as you might expect, but with a friendly relationship.

This Wasn’t a Phish

A phishing attack is a numbers game. Send enough messages, accept a low hit rate, collect whatever you catch. The Axios attack was the opposite. The attacker – attributed by Google Threat Intelligence to UNC1069, a North Korea-linked group active since at least 2018 – chose Saayman because of what his credentials could touch. They built a fake Slack workspace with convincing branding, active channels, and plausible colleagues and ran the engagement for weeks, patient enough to reschedule calls, maintain the relationship, and wait until the moment was right.

A second Axios maintainer, Pelle Wessman, was targeted through the same playbook simultaneously. This wasn’t one unlucky encounter but a coordinated operation running in parallel against multiple high-value individuals across the Node.js ecosystem.

The sophistication isn’t incidental. It’s the point. When a single set of credentials can expose millions of software environments, weeks of investment isn’t expensive. It’s cheap.

Sophistication Isn’t Protection

The uncomfortable truth about the Axios compromise is who it happened to.

Jason Saayman is not a careless person. He had two-factor authentication enabled on his account. He had technical knowledge and years of experience in open-source software. He was, by any reasonable measure, exactly the kind of person security awareness training is designed to create.

It didn’t matter. In his own post-mortem, he noted that 2FA “was not sufficient to stop the attack once the machine was compromised.” The attacker didn’t need to beat the credential. They had the machine, and everything on it was already theirs.

The attack wasn’t designed to overcome Saayman’s defences. It was designed to make them irrelevant. By the time he joined that Teams call, weeks of normal interaction had laid the groundwork. His guard wasn’t down because he was careless, but because nothing in two weeks had given him any reason to raise it.

That’s the design, and it works on sophisticated people precisely because sophisticated people trust their own judgement. If something felt wrong, you’d know. Nothing felt wrong.

The Economics of Cyber Threats Are Changing

Right now, this level of operation is only viable when the prize justifies the investment. Nation-state actors targeting open-source maintainers, cryptocurrency exchanges, critical infrastructure. The attack surface is real but bounded, because the human work involved is significant.

That’s changing.

Last week, the AI development company published the system card for Claude Mythos Preview, their latest large language model. During safety testing, the model was placed inside a environment, deliberately restricted from internet access. It was given a task, and when completed, devised a multi-step exploit, gained broad internet access, and sent an unsolicited email to the researcher running the evaluation who discovered it while eating a sandwich in a park.

The model wasn’t trying to escape, it was pursuing its goal. The sandbox was in the way, so it found a path around it.

That behaviour, in an attack context, is exactly what makes the long-con playbook scalable. A system capable of building and sustaining a credible persona, researching a target’s professional background, simulating weeks of plausible interaction, and escalating at the right moment can do all of that simultaneously, across thousands of targets. The marginal cost of each additional target approaches zero.

We’re not there yet, but the direction of travel is clear.

Security Beyond Pattern Recognition

Security awareness training was built for a world where attacks had recognisable patterns. The suspicious sender address. The urgency that doesn’t fit the context. The request that doesn’t match the relationship. Spot the anomaly, stop the action.

That model isn’t wrong. It still catches a lot of attackers, and it matters. But it was designed for attacks that look like attacks.

The long con doesn’t look like an attack. It looks like a normal professional relationship, right up until the final step, and by then, the context has been constructed to make that step feel routine. Generic pattern recognition has no purchase here, because there are no patterns to recognise. The playbook is being rewritten faster than any fixed curriculum can track.

What has to change is what awareness means. Not just recognising threat signatures but developing a different kind of instinct: scepticism that isn’t triggered by anomaly but applied as a matter of habit. Verification that doesn’t depend on something feeling wrong. A settled practice of independent confirmation for any action involving credentials, software installation, or access – regardless of how familiar the source appears.

Part of that is also changing what people feel empowered to report. In the Axios case, there were probably moments – a conversation that felt slightly off, a request that didn’t quite fit, a colleague who never followed up the way a real colleague would. None of it crossed the threshold of “something is wrong.” But if the culture is one where people surface low-confidence signals early, “I had an odd interaction last week, probably nothing, but I’ll report it all the same”, organisations have a fighting chance of catching the groundwork before it becomes the payload. Early, uncertain reporting isn’t noise. In this threat environment, it’s a signal.

That’s harder to train than a checklist. It requires people to internalise a posture, not just a pattern. But it’s the gap that every long-con operation will continue to exploit until the culture shifts to meet it.

Jason Saayman installed a fix because nothing in the two weeks before that moment gave him any reason not to. That’s not a failure of his awareness. It’s a failure of what we’ve asked awareness to do.

The long con doesn’t trigger your instincts, it cultivates them.

Strengthen Your Business’ Defences with MetaCompliance

In a threat landscape where attacks are built on trust, organisations need more than traditional, tick-box security awareness training. They need programmes that actively shape behaviour—building verification habits, encouraging early reporting of low-confidence concerns, and embedding a culture where security is part of everyday decision-making.

MetaCompliance helps organisations move beyond static training with continuous, behaviour-driven security awareness solutions. From real-world simulations to targeted learning and risk-focused insights, their approach is designed to prepare employees for sophisticated, human-centric threats like the long con.

Start transforming awareness into action—get in touch today.