On June 17, 2026, Microsoft attributed with "high confidence" the supply-chain attack that compromised more than 140 npm packages from the @mastra organization to the North Korean threat group Sapphire Sleet, also known as BlueNoroff and UNC1069. The campaign exploited the compromise of a legitimate maintainer account to inject a typosquatted dependency that executed at install time, exposing an AI-developer ecosystem to an attack pattern already replicated against Axios two months earlier. The significance lies in the combination of the threat actor's operational maturity and the structural fragility of the targeted framework: Mastra generated SLSA attestations in CI/CD but did not require them, allowing a standard npm token to publish packages without provenance.
- Microsoft attributes the attack to the North Korean group Sapphire Sleet with "high confidence" — an actor that primarily targets the financial sector and was already responsible for the Axios npm supply-chain compromise in April 2026.
- The technical vector was the compromise of the npm account "ehindero," a legitimate maintainer with scope-wide publish rights on the @mastra organization, via social engineering on LinkedIn.
- The compromised @mastra packages — 145 according to The Hacker News, more than 140 according to Microsoft and StepSecurity — reached 1.1 million combined weekly downloads, with @mastra/core alone at 918,000 weekly downloads.
- The malicious dependency "easy-day-js," a typosquat of the legitimate "dayjs" library (57 million weekly downloads), followed a "clean bait then weaponized" pattern: clean in version 1.11.21 on June 16, weaponized in 1.11.22 at 01:01 UTC on June 17.
The Operational Sequence: 88 Minutes of Automated Publishing
The attack unfolded in two distinct phases, documented by Microsoft with chronological precision. In phase one, on June 16, 2026, Sapphire Sleet published easy-day-js@1.11.21: a package functionally identical to dayjs, devoid of malicious code. This "clean bait" passed static analysis checks and built artificial trust based on version history. In phase two, at 01:01 UTC on June 17, version 1.11.22 was released with the payload injection.
Starting at 01:12 UTC, the @mastra packages were published in rapid succession: an 88-minute window, according to The Hacker News, with the malicious dependency automatically added to the SemVer range that resolved to the weaponized version. The @mastra packages themselves remained essentially clean; the threat resided in the transitive dependency, evading trust logic based on the primary maintainer's reputation.
The postinstall hook executed setup.cjs, a 4,572-byte obfuscated dropper. The code disabled TLS verification, contacted the command-and-control server 23.254.164[.]92 on port 8000, downloaded a second-stage payload, and executed it as a hidden detached process. StepSecurity technically documented the blocking of this communication in CI/CD environments, confirming the C2 address and the flow structure.
Cross-Platform Payload and Crypto Targeting
The second stage is a cross-platform information stealer for Windows, Linux, and macOS. According to Microsoft, the malware checks for the presence of 166 browser extensions for cryptocurrency wallets. The Hacker News reports "over 160" extensions checked. On systems with established C2 communication, Sapphire Sleet deployed additional components: a PowerShell backdoor, additional persistence mechanisms, Microsoft Defender exclusions, and a malicious service to gain SYSTEM access.
Microsoft explicitly links this C2 infrastructure and tradecraft to previous campaigns by the same group. The attribution statement is direct: "The PowerShell backdoor, tradecraft, and C2 infrastructure have been used by Sapphire Sleet in other, prior campaigns." The group conducted the Axios npm supply-chain compromise in April 2026 with identical TTPs, consolidating a recurring operational pattern against JavaScript ecosystems.
The Provenance Gap: When Attestation Is Opt-In
The Mastra framework, positioned at the intersection of AI development and cloud infrastructure, handles sensitive credentials: LLM keys, cloud access tokens, runtime secrets. StepSecurity highlighted that "its packages are routinely installed in environments that hold some of the most sensitive credentials in modern software development." Yet, as documented by SafeDep via The Hacker News, "Mastra generated provenance on CI publishes but did not require it, so a standard npm token could still publish without attestations."
This "provenance gap" allowed the compromised account to publish 140-145 packages without the npm ecosystem automatically verifying the build origin. The manual publishing mechanism — anomalous compared to Mastra's usual GitHub Actions OIDC CI/CD pipeline — did not trigger preventive blocks. Kirill Boychenko of Socket, quoted by The Hacker News, summarizes: "The strongest attribution signal in this incident is the operational pattern: a legitimate maintainer was compromised, publish rights were abused, the Mastra packages themselves were left essentially clean, and the threat actor inserted a malicious transitive dependency that executed at install time."
"Microsoft assesses with high confidence that this activity is attributable to Sapphire Sleet, a North Korean state actor that primarily targets the financial sector" — Microsoft Security Blog, June 19, 2026
Immediate Actions
Priority actions derive from the documented facts and the measures Mastra itself implemented post-incident.
Verify historical exposure. Environments that installed @mastra packages between 01:12 and 02:39 UTC on June 17, 2026 must be considered potentially compromised. Verification requires checking lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml) for the presence of easy-day-js in the weaponized version range.
Inspect browser wallet extensions. The malware targets 166+ crypto extensions. If corporate or development systems hosted browser wallets, verification of addresses and balances is a priority. Microsoft does not quantify the exact volume exfiltrated, but the extension-enumeration capability is documented.
Block the documented C2 infrastructure. The addresses 23.254.164[.]92 and 23.254.164[.]123, with their respective ports 8000 and 443, must be added to network blocklists. StepSecurity has already demonstrated the effectiveness of blocking in CI/CD pipelines.
Make provenance a mandatory requirement. Mastra has since implemented mandatory SLSA provenance. For organizations with critical npm ecosystems, the lesson is structural: build attestations must not be opt-in but mandatory, with automatic rejection of publications lacking verifiable provenance.
Sapphire Sleet's Trajectory: From Finance to AI Developers
The attribution to Sapphire Sleet — not the generic Lazarus Group or APT38, but a distinct operational cluster specializing in financial targeting — signals a precise direction. North Korean state actors are industrializing the npm supply chain as a primary vector, shifting targets from traditional financial institutions to software infrastructure with native access to digital capital and cloud credentials.
The Mastra case is not an anomaly but an iteration. The Axios attack of April 2026, the VS Code Marketplace campaign documented by other vendors, and now Mastra form a coherent series. The difference is the maturity of the mechanism: maintainer compromise, clean primary packages, transitive injection, the clean-then-armed pattern. Every element is optimized to evade existing controls.
The structural limit exposed by the incident is not a zero-day vulnerability in npm or Node.js, but an architectural choice: provenance as an available feature but not enforced as a default. "Opt-in" security in critical open-source ecosystems leaves operational space that state actors exploit with surgical precision.
FAQ
Did the @mastra packages contain direct malicious code?
No. The Mastra packages were essentially clean. The threat resided in the transitive dependency easy-day-js, injected automatically, which resolved to the weaponized version at install time.
Is updating to the packages removed by Mastra sufficient to be safe?
The removal of compromised packages and revocation of the token by Mastra interrupt the current distribution chain, but do not mitigate compromises that already occurred on systems that executed installation during the attack window.
What is the precise link between Sapphire Sleet and Lazarus Group?
Microsoft identifies the actor as Sapphire Sleet, with aliases BlueNoroff and UNC1069. The dossier does not show an infrastructural overlap directly linking it to the Lazarus Group or APT38 cluster at this time: it is a distinct operational entity with its own tradecraft and C2 infrastructure.
Information has been verified against cited sources and is current as of publication.
Sources
- https://www.bleepingcomputer.com/news/security/microsoft-links-mastra-ai-supply-chain-attack-to-north-korean-hackers/
- https://thehackernews.com/2026/06/fake-microsoft-alerts-used-to-deploy.html
- https://thehackernews.com/2026/06/144-mastra-npm-packages-compromised-via.html
- https://thehackernews.com/2026/06/north-korean-hackers-are-turning.html
- https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/
- https://news.risky.biz/risky-bulletin-canadas-spy-agency-allowed-to-remove-a-botnet-from-canadian-devices/
- https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/
- https://www.microsoft.com/en-us/security/blog/2026/02/24/c2-developer-targeting-campaign/
- https://www.stepsecurity.io/blog/mastra-npm-packages-compromised-using-easy-day-js
- https://yeethsecurity.com/blog/2026-06-09-jupyter-powerdev-backdoor
- https://krebsonsecurity.com/2026/06/popa-botnet-linked-to-publicly-traded-israeli-firm/
- https://www.welivesecurity.com/en/eset-research/killing-me-gently-inside-gentlemens-edr-killer-framework/