Microsoft has attributed a recent supply chain attack targeting the Mastra AI ecosystem to the North Korean threat group Sapphire Sleet, also known as BlueNoroff.
The campaign compromised more than 140 npm packages and deployed malware designed to steal developer credentials, authentication tokens, API keys, and cryptocurrency wallets.
The attribution follows Microsoft’s disclosure earlier this week that attackers had hijacked an npm maintainer account and used it to publish malicious updates across the Mastra package environment.
According to Microsoft, the attack began after threat actors compromised the npm account “ehindero,” which had publishing permissions for packages under the @mastra scope. The attackers then pushed malicious updates that introduced a dependency named “easy-day-js,” a typosquatted version of the legitimate dayjs JavaScript library.
When developers installed the compromised packages, the malicious dependency executed a post-installation script that deployed a malware dropper on Windows, macOS, and Linux systems. Microsoft said the script disabled TLS certificate verification, connected to attacker-controlled command-and-control infrastructure, downloaded a second-stage payload, and executed it as a hidden process.
The second-stage malware functioned as a cross-platform information stealer capable of collecting system details, browser histories, installed applications, and running processes. It also searched for 166 cryptocurrency wallet browser extensions, including MetaMask, Phantom, Coinbase Wallet, Binance Wallet, and TronLink.
To maintain persistence, the malware used operating system-specific techniques, including Windows Registry Run keys, macOS LaunchAgents, and Linux systemd services.
Microsoft said it observed additional activity on systems that communicated with the attackers’ infrastructure, including the deployment of a PowerShell backdoor, new persistence mechanisms, Microsoft Defender exclusions, and a malicious Windows service that granted SYSTEM-level privileges.
The company noted that the PowerShell backdoor, attacker infrastructure, and operational tactics closely match those used in previous campaigns linked to Sapphire Sleet.
Sapphire Sleet is a North Korean state-sponsored threat group known for financially motivated cyber operations targeting cryptocurrency organizations. The group has previously been linked to software supply chain attacks, fake job recruitment schemes, malicious browser extensions, and large-scale credential theft campaigns.
Microsoft also attributed a separate supply chain attack targeting the Axios HTTP client in April 2026 to the same threat actor.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Microsoft Links Mastra npm Supply Chain Attack to North Korean Hackers
