Microsoft links Mastra AI supply chain attack to North Korean hackers

Microsoft attributes the current Mastra AI provide chain assault that compromised greater than 140 npm packages to the North Korean hacker group Sapphire Sleet, also referred to as BlueNoroff.

The attribution comes after Microsoft first revealed earlier this week that attackers had hijacked npm maintainer accounts and used them to publish malicious bundle updates.

“Microsoft assesses with excessive confidence that this exercise is the work of Sapphire Three, a North Korean state-run group that primarily targets the monetary sector,” the corporate mentioned in a June 19 replace.

In accordance with Microsoft, the assault started when a menace actor compromised the npm maintainer account ‘ehindero’, which has publishing privileges throughout the Mastra bundle surroundings.

The attacker used this account to publish a malicious replace of over 140 packages within the @mastra scope that injected a malicious dependency named “easy-day-js”. This dependency is a typosquat of the canonical and extensively used dayjs JavaScript library.

As soon as the compromised bundle was put in, the malicious dependency executed a post-installation hook to deploy a malware dropper on the developer’s machine, in the end aiming to steal delicate credentials, API keys, authentication tokens, and cryptocurrency wallets.

“As soon as put in, easy-day-js “It triggered a post-installation hook that executed an obfuscated dropper script, disabled Transport Layer Safety (TLS) certificates validation, linked to attacker-controlled command and management (C2) infrastructure, downloaded a second-stage payload, and executed the payload as an remoted, hidden course of,” Microsoft mentioned.

Cross-platform malware targets crypto wallets

The downloaded second stage payload was a cross-platform info stealer designed to focus on Home windows, Linux, and macOS techniques

The implant collected details about the host, browser historical past, put in functions, and working processes, and checked whether or not 166 cryptocurrency pockets browser extensions had been put in, together with MetaMask, Phantom, Coinbase Pockets, Binance Pockets, and TronLink.

The malware additionally used totally different persistence strategies relying on the working system, together with Home windows registry Run keys, macOS LaunchAgents, and Linux systemd providers.

Microsoft mentioned there was a follow-on exercise that leveraged techniques beforehand related to Sapphire Sleet, with techniques speaking with the attacker’s command and management servers.

This contains deploying a PowerShell backdoor beforehand utilized by the group, extra persistence mechanisms, Microsoft Defender exclusions, and malicious Home windows providers granted SYSTEM privileges.

“PowerShell backdoors, tradecraft, and C2 infrastructure have been utilized by Sapphire Sleet in different earlier campaigns,” Microsoft defined.

Sapphire Sleet is a North Korean state-sponsored menace actor recognized for cryptocurrency theft campaigns, malicious browser extensions, faux job presents, and software program provide chain compromises geared toward stealing credentials and cryptocurrency property.

Microsoft mentioned the group was additionally answerable for one other npm provide chain assault towards the Axios HTTP shopper in April 2026.