Microsoft links Mastra AI supply chain attack to North Korean hackers

Microsoft has attributed a recent Mastra AI supply chain attack that compromised more than 140 npm packages to the North Korean hacking group Sapphire Sleet, also known as BlueNoroff.

This attribution comes after Microsoft first disclosed earlier this week that attackers hijacked an npm maintainer account and used it to publish malicious package updates.

"Microsoft assesses with high confidence that this activity is attributable to Sapphire Sleet, a North Korean state actor that primarily targets the financial sector," the company said in a June 19 update.

According to Microsoft, the attack began when threat actors compromised the npm maintainer account "ehindero," which had publishing privileges across the Mastra package environment.

Using the account, the attackers published malicious updates for more than 140 packages in the @mastra scope that injected a malicious dependency named "easy-day-js". This dependency is a typosquat of the legitimate and widely used dayjs JavaScript library.

When the compromised packages were installed, the malicious dependency executed a post-install hook that deployed a malware dropper on developers' devices, ultimately aimed at stealing sensitive credentials, API keys, authentication tokens, and cryptocurrency wallets.

"Once installed, easy-day-js triggered a postinstall hook that executed an obfuscated dropper script, disabled Transport Layer Security (TLS) certificate verification, contacted attacker-controlled command-and-control (C2) infrastructure, downloaded a second-stage payload, and executed the payload as a detached hidden process," explains Microsoft.

Cross-platform malware targets crypto wallets

The downloaded second-stage payload was a cross-platform information stealer designed to target Windows, Linux, and macOS systems

The implant collected information about the host, browser histories, installed applications, and running processes, and checked whether 166 cryptocurrency wallet browser extensions were installed, including MetaMask, Phantom, Coinbase Wallet, Binance Wallet, and TronLink.

The malware also used different persistence methods depending on the operating system, such as Windows Registry Run keys, macOS LaunchAgents, and Linux systemd services.

Microsoft says systems that communicated with the attackers' command-and-control servers had follow-on activity that utilized tactics previously associated with Sapphire Sleet.

This includes the deployment of a PowerShell backdoor previously used by the group, additional persistence mechanisms, Microsoft Defender exclusions, and a malicious Windows service that granted SYSTEM privileges.

"The PowerShell backdoor, tradecraft, and C2 infrastructure have been used by Sapphire Sleet in other, prior campaigns," Microsoft explained.

Sapphire Sleet is a North Korean state-sponsored threat actor known for cryptocurrency theft campaigns, malicious browser extensions, fake job offers, and software supply chain compromises designed to steal credentials and cryptocurrency assets.

Microsoft says the group was also responsible for a separate npm supply chain attack on the Axios HTTP client in April 2026.