Emerging ThreatsSupply Chain Attacks

Microsoft attributes Mastra AI supply chain attack to North Korean hackers Sapphire Sleet

Analyst 207||Source: BleepingComputer
Financial sector setting with technology integration and cityscape in background.
"Microsoft assesses with high confidence that this activity is attributable to Sapphire Sleet, a North Korean state actor that primarily targets the financial sector," the company said in a June 19 update.

Microsoft's attribution and prior activity

In its June 19 update, Microsoft attributed a recent supply chain compromise of the Mastra AI npm environment to Sapphire Sleet, also known by the alias BlueNoroff. The company described Sapphire Sleet as a North Korean state-sponsored threat actor that "primarily targets the financial sector." Microsoft also linked the group to a separate npm supply chain attack on the Axios HTTP client in April 2026, presenting the Mastra incident as part of a pattern of operations that abuse open-source distribution channels.

How the Mastra npm packages were compromised

According to Microsoft, the attack began when threat actors compromised the npm maintainer account "ehindero," an account that had publishing privileges across the Mastra package environment. Using that account, the attackers published malicious updates for more than 140 packages in the @mastra scope.

Those updates injected a malicious dependency named "easy-day-js," a deliberate typosquat of the legitimate and widely used dayjs JavaScript library. When developers installed any of the compromised packages, the injected dependency triggered a chain of actions on developer machines.

The easy-day-js dropper and postinstall behavior

Microsoft says the easy-day-js dependency executed a postinstall hook that deployed an obfuscated malware dropper on developer devices. That dropper performed several actions in sequence: it disabled Transport Layer Security (TLS) certificate verification, contacted attacker-controlled command-and-control (C2) infrastructure, downloaded a second-stage payload, and executed that payload as a detached hidden process.

Microsoft's description places the dropper's behavior squarely at the package installation step, where a postinstall hook can run arbitrary scripts on a developer's system — an execution point the attackers abused to move from supply chain to host compromise.

The cross-platform information stealer and follow-on tradecraft

The downloaded second-stage payload, Microsoft reports, was a cross-platform information stealer that targeted Windows, Linux, and macOS systems. The implant collected host information, browser histories, installed applications, and running processes. Critically for the financial and cryptocurrency focus Microsoft attributes to Sapphire Sleet, the malware checked for 166 cryptocurrency wallet browser extensions, including MetaMask, Phantom, Coinbase Wallet, Binance Wallet, and TronLink.

Persistence varied by operating system: the malware used Windows Registry Run keys on Windows, LaunchAgents on macOS, and systemd services on Linux. Systems that communicated with the attackers' C2 servers showed follow-on activity Microsoft associates with Sapphire Sleet: deployment of a PowerShell backdoor the company says the group has previously used, additional persistence mechanisms, Microsoft Defender exclusions, and a malicious Windows service that granted SYSTEM privileges.

What this means for technologists, enterprises, and developers

  • Technologists and security teams should note the specific tradecraft Microsoft tied to post-compromise activity: a PowerShell backdoor, persistence mechanisms across OS families, Microsoft Defender exclusions, and a malicious Windows service granting SYSTEM privileges — these are the patterns Microsoft says matched Sapphire Sleet's prior campaigns.
  • Enterprises and procurement leaders face a concrete example of supply chain risk: an npm maintainer account with broad publishing privileges ("ehindero") was abused to push malicious updates into more than 140 @mastra packages, illustrating how a single account compromise can cascade through dependent codebases.
  • Developers and end users are the immediate targets of the initial vector. The attackers used a typosquatted dependency, "easy-day-js," to trigger a postinstall hook that dropped a stealer aimed at credentials, API keys, authentication tokens, and cryptocurrency wallets — the very artifacts developers and crypto users rely on.

Microsoft's update ties the Mastra compromise to a familiar playbook: hijacked maintainer accounts, typosquatted dependencies, postinstall execution, and follow-on activity that mirrors prior campaigns attributed to Sapphire Sleet. The company’s confirmation of a June 19 attribution and its note of an April 2026 npm compromise linked to the same actor frame this incident as more than an isolated code-quality lapse; it is an operational campaign targeting credential and crypto-asset theft through open-source distribution channels.

Will maintainers with publishing privileges such as "ehindero" and the wider npm ecosystem change account hygiene, review publish permissions, and harden postinstall execution controls to reduce the chance that a single account compromise can infect hundreds of packages? Microsoft’s attribution makes clear which techniques defenders should be watching; the question is whether those signals will prompt concrete changes across the projects and supply chains that rely on npm.

Source: BleepingComputer — Microsoft links Mastra AI supply chain attack to North Korean hackers

Emerging ThreatsNation-StateNpmSupply ChainNorth Korean HackersFinancial SectorSapphire SleetMastra AIBluenoroff
Related Intelligence

Continue Reading

Person typing on a keyboard with a blank laptop screen in front, face turned away.

Prinz Eugen Ransomware Targets Critical Files in Hands-On Attacks

Meet Prinz Eugen, a sneaky ransomware that uses hands-on tactics to target critical files, evading detection by deliberately leaving no ransom note behind. Its operators use stolen RDP credentials and remote monitoring tools to manually infiltrate and take control of systems.

Analyst 207
WordPress dashboard screen with a highlighted API key field and a warning symbol nearby.

Hackers Exploit Gravity SMTP Plugin Bug to Expose API Keys

Malicious hackers are racing to exploit a vulnerability in the Gravity SMTP plugin, which has been installed on around 100,000 WordPress sites, to get their hands on sensitive API keys. Over 17 million exploit attempts have already been blocked by Wordfence, highlighting the urgent need for site owners to update to version 2.1.5.

Analyst 207
Rows of network equipment and devices on racks in a dimly lit, empty server room.

Credential Attacks Target Fortinet, Sophos, MSSQL Devices in Large-Scale Campaign

A large-scale password spraying and credential theft campaign, dubbed "FortiBleed," is targeting Fortinet devices, with attempts also seen against MSSQL services and Sophos devices, warns Unit 42. This coordinated attack has sparked concerns over widespread credential attacks.

Analyst 207
Server room with equipment racks, cables, and blurred monitors.

Klue OAuth Breach Expands as Icarus Hackers Claim Multiple Victims

Klue's CEO Jason Smith revealed that on June 12, unauthorized activity was detected in their integration infrastructure, prompting a thorough investigation with cybersecurity experts to understand the breach and support affected customers. The incident allowed hackers to steal OAuth tokens through a compromised legacy credential, impacting connections to third-party platforms like Salesforce.

Analyst 207