Microsoft has attributed a large-scale supply chain attack that hijacked more than 140 npm packages of the AI agent framework "Mastra" to the North Korean state-sponsored group Sapphire Sleet (also known as BlueNoroff), with high confidence .
June 17, 2026 · Microsoft Threat Intelligence
North Korean hackers poisoned 140+ Mastra AI packages on npm
A hijacked maintainer account injected crypto-stealing infostealer malware into the popular AI agent framework — attributed with high confidence to state-sponsored actor Sapphire Sleet (BlueNoroff) , slipping into developer machines and CI/CD pipelines.
140+
Mastra packages compromised
1.1M+
Weekly ecosystem downloads at risk
166
Crypto wallet extensions targeted
88 min
To publish all 140+ packages
How the attack unfolded
1 · HIJACK
Maintainer account "ehindero" taken over
→
2 · TYPOSQUAT
Fake dep easy-day-js mimics dayjs; weaponized 1.11.22 resolves
→
3 · EXECUTE
postinstall hook runs obfuscated dropper on install
→
4 · STEAL
Cross-platform infostealer hunts crypto wallets , persists
No human in the loop: 140+ packages, 88 minutes
A 60-minute reference block beside the actual attack window shows just how compressed the operation was.
The weaponized version went live and all 140+ Mastra packages were pushed in roughly an hour and a half — automated, fast, and hard to catch in time.
Why researchers are alarmed
Instant infection via postinstall — no code import needed
Persistence disguised as legit NVM tooling
Same actor behind the April 2026 Axios compromise
A pattern of state-sponsored hits on AI/agentic toolchains
Recommended response
Delete node_modules and reinstall clean
Rotate credentials in affected environments
Pin versions of all dependencies
Verify dependencies via SBOM scanning
Continue reading The rest of this article is for AI News Blitz readers. Choose an option below to keep reading.
Already purchased? Sign in ✓ Signed in — this article isn’t included in your current plan.Unlocking the full article…