Microsoft Links Mastra AI npm Supply Chain Attack To North Korean Hackers

Microsoft has attributed the Mastra AI npm supply chain attack to Sapphire Sleet, a North Korean state-backed hacking group also known as BlueNoroff. The attack compromised more than 140 packages in the Mastra ecosystem and exposed developer workstations and CI/CD systems to credential theft.

The campaign began with the takeover of the npm maintainer account ehindero, which had publishing rights across the Mastra package environment. According to Microsoft Threat Intelligence, the attacker used that access to publish poisoned package versions that added a malicious dependency called easy-day-js.

BleepingComputer reported that Microsoft later updated its findings to say it assesses with high confidence that Sapphire Sleet was behind the operation. The group has a long history of targeting cryptocurrency, financial services, developers, and software supply chains.

How The Mastra npm Attack Worked

Mastra is an open-source TypeScript framework used to build AI agents, workflows, RAG systems, and AI applications. The official Mastra website describes it as a JavaScript and TypeScript framework for building, testing, and deploying AI agents and applications.

The attackers did not need to rewrite Mastra’s source code. They added easy-day-js as a dependency in affected npm packages. That package was designed to look like dayjs, a legitimate JavaScript date library widely used by developers.

A public GitHub issue flagged [email protected] as compromised and noted that the malicious dependency ran an obfuscated postinstall script that downloaded and executed code from a remote command-and-control server.

Item	Details
Threat actor	Sapphire Sleet, also known as BlueNoroff
Target ecosystem	Mastra and @mastra packages on npm
Compromised account	ehindero
Malicious dependency	easy-day-js
Execution method	npm postinstall hook
Main risk	Credential theft, token theft, crypto wallet targeting, and persistence

The Malicious Package Ran During Installation

The attack was especially dangerous because the malware ran during installation. Developers did not have to import the package in application code for the payload to execute. Running npm install or npm update against a compromised package could trigger the malicious postinstall hook.

StepSecurity said the easy-day-js package first appeared as a clean bait version before a malicious version was published. The compromised Mastra packages used a version range that allowed npm to resolve to the malicious release during fresh installs.

Aikido reported that 141 Mastra packages were republished in a short burst on June 17, with easy-day-js injected into package.json files. The affected packages included core Mastra components used by developers building AI applications.

• The attacker compromised an npm maintainer account with publish access.
• Poisoned Mastra packages added easy-day-js as a dependency.
• The malicious package used a postinstall hook to run automatically.
• The first-stage script downloaded a second-stage payload.
• The payload targeted credentials, tokens, browser data, and crypto wallets.

What The Malware Tried To Steal

The second-stage payload was a cross-platform information stealer built to run on Windows, macOS, and Linux. Microsoft said it collected host details, browser history, running processes, installed applications, and other system information.

The implant also checked for 166 cryptocurrency wallet browser extensions, including MetaMask, Phantom, Coinbase Wallet, Binance Wallet, and TronLink. That focus matches Sapphire Sleet’s known interest in cryptocurrency theft and financial targets.

Persistence methods varied by operating system. The malware could use Windows Registry Run keys, macOS LaunchAgents, and Linux systemd services to remain active after the initial install.

Targeted Area	Why It Matters
Developer machines	May contain cloud keys, npm tokens, GitHub tokens, and AI API keys
CI/CD systems	May expose deployment secrets and downstream build integrity
Browser data	May include sessions, histories, and saved credentials
Crypto wallets	May expose wallet extensions used by developers or traders
Cloud credentials	May give attackers access to infrastructure and production environments

Why Microsoft Blames Sapphire Sleet

Microsoft said systems that contacted attacker infrastructure later showed follow-on activity tied to Sapphire Sleet tradecraft. That included a PowerShell backdoor, added Microsoft Defender exclusions, additional persistence, and a malicious Windows service that granted SYSTEM-level access.

The Microsoft report also linked the infrastructure and post-compromise behavior to earlier Sapphire Sleet activity. Microsoft said the same actor was also responsible for a separate npm supply chain compromise affecting Axios earlier in 2026.

The timing also fits a wider pattern of attacks against developer ecosystems. North Korean groups have repeatedly targeted crypto companies, open-source maintainers, job applicants, browser extensions, and software packages to reach credentials and financial assets.

Why AI Developer Tools Are Attractive Targets

AI development frameworks often sit close to valuable credentials. A developer using Mastra may connect to model providers, vector databases, cloud platforms, observability services, Git repositories, and deployment tools.

That makes a compromised AI package especially useful to attackers. One poisoned dependency can reach developer laptops and build systems that hold API keys for OpenAI, Anthropic, Google, AWS, Azure, GitHub, npm, and other services.

The risk also spreads downstream. If a CI/CD system runs a compromised package during a build, attackers may steal secrets from the build environment or tamper with software before it reaches users.

How Developers Should Respond

Developers and security teams should treat systems that installed affected Mastra packages during the compromise window as potentially exposed. Updating packages alone may not remove stolen credentials or persistence added after the malware ran.

The Mastra GitHub report listed key indicators such as a manual publish by ehindero, missing npm provenance, the new easy-day-js dependency, and postinstall behavior in easy-day-js 1.11.22.

StepSecurity advised users who installed affected packages to treat the environment as compromised. That means rotating credentials, removing malicious packages, checking endpoint telemetry, and reviewing build systems for signs of follow-on access.

1. Remove compromised Mastra package versions and reinstall known clean releases.
2. Delete easy-day-js from dependency trees and lockfiles.
3. Rotate npm, GitHub, cloud, database, and AI provider API keys.
4. Check CI/CD logs for installs during the compromise window.
5. Review developer machines for unusual Node.js processes and persistence entries.
6. Search for outbound connections to known command-and-control infrastructure.
7. Rebuild affected environments from trusted images where possible.

Package Managers Need Stronger Controls

The Mastra incident shows how quickly attackers can turn one compromised maintainer account into a large software supply chain event. The damage came from trusted package updates, not from users downloading files from unofficial sources.

Aikido said the packages were republished in a rapid window, which suggests automation rather than manual one-by-one changes. That speed gives defenders little time to react once a publisher account is compromised.

BleepingComputer noted that the attackers used a typosquatted dependency instead of directly modifying package code. That approach can evade casual code review because the malicious logic sits in a newly added dependency that runs automatically during installation.

Control	Why It Helps
npm provenance and trusted publishing	Helps detect manual publishes outside the normal CI/CD process
Maintainer MFA	Reduces the chance of account takeover
Lockfile review	Highlights unexpected new dependencies
Postinstall restrictions	Limits automatic execution during dependency installation
Secret scanning	Finds exposed tokens after a compromised build or workstation event

Why This Attack Matters

The Mastra attack is another sign that software supply chain intrusions now focus heavily on developer infrastructure. Attackers want the systems that build, test, sign, and deploy software because those systems often hold the keys to many downstream environments.

For AI teams, the stakes are higher because modern agent and workflow frameworks often connect to sensitive model, cloud, data, and deployment services. A single malicious install can expose secrets across several platforms.

The main lesson is clear: developers should treat dependency installs as executable code, not harmless downloads. Package provenance, least-privilege tokens, locked dependencies, secret rotation, and endpoint monitoring need to become standard controls for teams building with npm and AI frameworks.

FAQ