By Kiran Bhujle, Enterprise Risk Management Part-Time Lecturer; Global Managing Director, SVAM International Inc.
Jason Saayman thought it was a software update.
The lead maintainer of Axios, an open-source JavaScript library running in tens of thousands of enterprise applications worldwide, had spent the past two weeks corresponding with what appeared to be a legitimate company about a potential collaboration. The interaction concluded in a routine Microsoft Teams call and a prompt to install a missing component on his system. The kind of small request a developer fields a dozen times a week.
But the entire two-week interaction had been fictional. The company was fake. Its founder’s identity had been cloned. The Slack workspace, team profiles, and LinkedIn posts were all fabricated. The file Saayman installed was malware, a remote access trojan that harvested his credentials.
Within hours, two versions of Axios had been replaced on the npm software registry with malicious versions designed to steal credentials from any developer who installed them. The breach affected no servers and exploited no system vulnerabilities. It exploited one person’s reasonable trust in professional interaction. That increasingly reflects the modern threat model.
“Everything was extremely well coordinated, looked legit, and was done in a professional manner,” said Jason Saayman, in a postmortem published on GitHub on April 2, 2026, two days after the breach.
AI Has Eliminated the Warning Signs
For nearly a decade, security awareness training anchored employee vigilance to content signals: a misspelled word, an odd sender domain, an email that felt slightly off. That foundation is eroding. According to a May 2025 Axios report—less than a year before it would fall victim to a security incident—scammers are now training AI tools with real institutional emails from banks, retailers, and service providers, producing messages that are grammatically flawless and tonally indistinguishable from the organizations they impersonate.
The problem extends well beyond written communication. In May 2025, the FBI issued a formal warning that malicious actors were using AI-generated voice messages to impersonate senior U.S. government officials, targeting current and former officials and their contacts to establish false rapport and gain access to personal accounts. CrowdStrike’s 2025 Global Threat Report documented a 442 percent increase in AI voice cloning attacks between the first and second half of 2024. A convincing voice clone now requires as little as three seconds of source audio. For any executive with a recorded earnings call, a conference panel, or a webinar on file, that raw material is already publicly accessible.
The Axios attacker used none of these tools overtly. They used something more fundamental: meticulous preparation. AI simply made that preparation faster, cheaper, and more convincing than any human-only effort could achieve. The signs that employees were trained to recognize were never there.
The Scale Is Already Board-Level
The World Economic Forum’s Global Cybersecurity Outlook 2026 found that 73 percent of organizations were directly affected by cyber-enabled fraud in 2025. The FBI’s 2024 Internet Crime Report placed U.S.-reported losses alone at $16.6 billion—up 33 percent in a single year. Deloitte projects AI-enabled fraud losses will reach $40 billion globally by 2027.
These are mainstream operational risk events touching nearly three in four organizations, and the reported figures almost certainly understate the true scale. Many organizations are already experiencing AI-enabled attacks without knowing it, or they are not yet comfortable disclosing them. The slow public recognition of North Korean IT worker fraud offers a useful comparison: Fortune 500 companies were privately managing the threat of North Korean IT worker fraud for years before it became widely recognized as a category of cyber-enabled fraud.
Consider what it means that in March 2026, ahead of the UN Global Fraud Summit in Austria, Google, Microsoft, Meta, Amazon, LinkedIn, OpenAI, and several other major companies co-signed the Industry Accord Against Online Scams and Fraud.
Karen Courington, Google's VP of consumer trust experiences, captured the moment plainly: “We can't solve this alone.” When the world's largest technology companies publicly acknowledge a threat that exceeds their individual capacity, every organization’s risk teams should take notice.
What This Means for Enterprise Risk Management (ERM)
The Axios incident exposed a blind spot in many companies’ risk planning: software maintained by outside developers can become a pathway for social engineering attacks. Every organization whose development pipeline used the compromised Axios software library during that three-hour window inherited exposure through no fault of its own. The attacked party was not the downstream organization (a company using Axios in its software)—it was a human maintainer the organization had never met, whose credentials gave him control over a software component trusted by millions of systems around the world. Saayman does not appear on a vendor security questionnaire. His Slack workspace is not covered in a SOC 2 report, which is a third-party security compliance audit.
This points to a broader principle that I often return to in the ERM classroom: the blast radius of social engineering has expanded dramatically because of AI. It no longer ends with your employees. It now extends through your vendors, your vendors’ vendors, and the open-source ecosystem embedded in your software. Traditional third-party risk frameworks assume your critical dependencies have names, contracts, and audit rights. Open-source maintainers have none of those, and yet a single compromised one can expose millions of downstream organizations simultaneously.
The right response is architectural, not just educational. Training still matters, but the goal must shift from teaching employees to detect malicious content to building the habit of verification. The question an employee should be asking is not whether a message looks legitimate. It is about whether the requested action follows an established, authenticated workflow, regardless of who appears to be asking. High-stakes actions such as wire transfers, access changes, and software deployments should require a second, independent verification channel determined before any request ever arrives.
The most dangerous risks are those that quietly invalidate the assumptions your existing controls were built on. The Axios attacker did not break through the defense. The attacker simply sidestepped a defense that was never designed for the method of his attack. You cannot patch your way out of a problem that was never a technical one to begin with.
About the Program
The Master of Science in Enterprise Risk Management (ERM) program at Columbia University prepares graduates to inform better risk-reward decisions by providing a complete, robust, and integrated picture of both upside and downside volatility across an entire enterprise. For both the full-time and part-time options, students may take all their courses on Columbia’s New York City campus or choose the synchronous online class experience.
Learn more about the program here.
