North Korea’s Sapphire Sleet hacking group compromised 144 packages in the Mastra AI framework’s npm scope in a single 88-minute automated campaign.
Developers who ran a standard install command during that window may have handed a foreign state actor their cloud credentials, LLM API keys, and cryptocurrency wallet data without any visible warning. Microsoft attributed the attack with “high confidence” to Sapphire Sleet, also tracked as BlueNoroff, a North Korean state actor that primarily targets the financial sector.
What Mastra Is and Why It Was Targeted
Mastra is an open-source TypeScript AI agent framework with over 1.1 million combined weekly downloads. Because Mastra sits at the intersection of AI development and cloud infrastructure, its packages are routinely installed in environments that hold some of the most sensitive credentials in modern software development, according to StepSecurity. That made it an exceptionally high-value target.
How the Attack Was Built
The operation did not rely on a software vulnerability, as no CVE entry was assigned and Mastra’s source code was never touched.
The attacker targeted an npm account belonging to “ehindero,” a former Mastra contributor whose publishing rights across the entire @mastra scope had never been revoked, even though the account had been dormant since February 2025. Mastra later confirmed the account belonged to a current employee whose machine was compromised via social engineering, with a compromised LinkedIn account reaching out to the employee and other prominent TypeScript open-source maintainers, and them clicking a suspicious link while on a call.
The day before the main strike, a second attacker-controlled account, “sergey2016,” published easy-day-js@1.11.21, a byte-for-byte copy of the legitimate dayjs date library, with the same author name, homepage, repository URL, and version numbering. This clean version was published to build credibility before the trap was set.
The 88-Minute Strike
The attacker then published easy-day-js@1.11.22, visually identical to 1.11.21 but containing a malicious postinstall hook. Because the @mastra packages were configured to accept any patch version 1.11.21 or higher, npm’s semantic versioning resolution automatically upgraded every fresh install to the armed 1.11.22. From that moment, running npm install was the attack. The infected packages looked clean because they were.
But once installed, a postinstall hook activated an obfuscated dropper that disabled TLS certificate verification, contacted the attackers’ command-and-control infrastructure, and downloaded a second payload onto the victim’s system. The second stage was a cross-platform stealer targeting credentials, API keys, authentication tokens, browser history, and data from 166 cryptocurrency wallet browser extensions, running across Windows, Linux, and macOS. After executing, the loader erased itself to minimize the forensic trail.
What Developers Should Do
Any workstation, CI runner, or build system that installed any @mastra package after June 16, 2026 should be treated as fully compromised. Remediation includes rolling back to pre-incident package versions and rotating all credentials, including npm tokens, cloud provider keys, LLM API keys, CI/CD secrets, and database credentials. For mastra, version 1.13.0 and earlier are unaffected. For @mastra/core, version 1.42.0 and earlier are unaffected.
Microsoft also links Sapphire Sleet to a separate npm supply chain attack on the Axios HTTP client in April 2026, confirming this is a sustained campaign against widely used JavaScript developer tooling and not a one-off incident.
