Skip to content
Tech News
← Back to articles

Microsoft links Mastra AI supply chain attack to North Korean hackers

2026-06-20 | original
read original get Cybersecurity Software Suite → more articles
Why This Matters

The attribution of the Mastra AI supply chain attack to North Korean hackers highlights the increasing sophistication and geopolitical motivations behind cyber threats targeting the tech industry. This incident underscores the importance for developers and organizations to strengthen supply chain security and monitor for malicious package updates to protect sensitive data and digital assets.

Key Takeaways

Microsoft has attributed a recent Mastra AI supply chain attack that compromised more than 140 npm packages to the North Korean hacking group Sapphire Sleet, also known as BlueNoroff.

This attribution comes after Microsoft first disclosed earlier this week that attackers hijacked an npm maintainer account and used it to publish malicious package updates.

"Microsoft assesses with high confidence that this activity is attributable to Sapphire Sleet, a North Korean state actor that primarily targets the financial sector," the company said in a June 19 update.

According to Microsoft, the attack began when threat actors compromised the npm maintainer account "ehindero," which had publishing privileges across the Mastra package environment.

Using the account, the attackers published malicious updates for more than 140 packages in the @mastra scope that injected a malicious dependency named "easy-day-js". This dependency is a typosquat of the legitimate and widely used dayjs JavaScript library.

When the compromised packages were installed, the malicious dependency executed a post-install hook that deployed a malware dropper on developers' devices, ultimately aimed at stealing sensitive credentials, API keys, authentication tokens, and cryptocurrency wallets.

"Once installed, easy-day-js triggered a postinstall hook that executed an obfuscated dropper script, disabled Transport Layer Security (TLS) certificate verification, contacted attacker-controlled command-and-control (C2) infrastructure, downloaded a second-stage payload, and executed the payload as a detached hidden process," explains Microsoft.

Cross-platform malware targets crypto wallets

The downloaded second-stage payload was a cross-platform information stealer designed to target Windows, Linux, and macOS systems

The implant collected information about the host, browser histories, installed applications, and running processes, and checked whether 166 cryptocurrency wallet browser extensions were installed, including MetaMask, Phantom, Coinbase Wallet, Binance Wallet, and TronLink.

... continue reading

Explore topics: mastra ai sapphire sleet npm packages bluenoroff supply chain
Related:
Are you prepared to wait until 2027 for a Steam Controller?
ShapedPlugin update flow hacked to infect WordPress sites
We Did the Math on Why the iPhone 18 Pro Could Cost $1,299
Nothing CEO warns memory costs now exceed 50% of smartphone's hardware bill
West Marine is closing stores: See a full list of doomed boating supply locations that will shutter in 23 states

© 2026 GoKawiil

About | Editorial Policy | Contact