Microsoft links Mastra AI supply chain attack to North Korean hackers

At a glance:

• Microsoft attributed a supply chain attack compromising 140+ npm packages in the @mastra scope to North Korean state actor Sapphire Sleet
• Attackers used typosquatted dependency "easy-day-js" to deploy cross-platform malware targeting 166 cryptocurrency wallet extensions
• The group previously compromised the Axios HTTP client package in April 2026 and is known for cryptocurrency theft campaigns

The compromised supply chain and initial infection

Microsoft disclosed that threat actors compromised the npm maintainer account "ehindero" which had publishing privileges across the Mastra package environment. Using this compromised account, attackers published malicious updates for more than 140 packages in the @mastra scope. The malicious updates injected a dependency named "easy-day-js" which is a typosquat of the legitimate and widely used dayjs JavaScript library.

When developers installed the compromised packages, the malicious dependency executed a post-install hook that deployed a malware dropper on their devices. Microsoft assessed with high confidence that this activity is attributable to Sapphire Sleet, a North Korean state actor that primarily targets the financial sector.

Cross-platform malware targets crypto wallets

The downloaded second-stage payload was a cross-platform information stealer designed to target Windows, Linux, and macOS systems. The implant collected detailed information about the host system, including browser histories, installed applications, and running processes.

Critically, the malware checked whether 166 cryptocurrency wallet browser extensions were installed, specifically targeting popular wallets including MetaMask, Phantom, Coinbase Wallet, Binance Wallet, and TronLink. The malware employed different persistence methods depending on the operating system: Windows Registry Run keys, macOS LaunchAgents, and Linux systemd services.

Follow-on activity and advanced tactics

Microsoft reported that systems communicating with the attackers' command-and-control servers experienced follow-on activity using tactics previously associated with Sapphire Sleet. This included the deployment of a PowerShell backdoor that had been used in prior campaigns, additional persistence mechanisms, Microsoft Defender exclusions, and a malicious Windows service that granted SYSTEM privileges.

The attack chain was sophisticated: once the easy-day-js dependency triggered its postinstall hook, it executed an obfuscated dropper script that disabled Transport Layer Security (TLS) certificate verification, contacted attacker-controlled infrastructure, downloaded the second-stage payload, and executed it as a detached hidden process.

Sapphire Sleet's broader campaign

Sapphire Sleet is a North Korean state-sponsored threat actor known for cryptocurrency theft campaigns, malicious browser extensions, fake job offers, and software supply chain compromises designed to steal credentials and cryptocurrency assets. Microsoft noted that the group was also responsible for a separate npm supply chain attack on the Axios HTTP client in April 2026.

The group's focus on supply chain attacks represents an evolution in their tactics, moving from direct financial fraud to more sophisticated infiltration methods that can provide long-term access and broader data collection capabilities.

Implications for supply chain security

This incident highlights the critical vulnerability in software supply chains where a single compromised maintainer account can affect thousands of downstream projects. The attack demonstrates how typosquatting attacks can bypass traditional security controls by appearing as legitimate package updates.

Organizations must implement robust verification processes for package updates and maintain strict access controls for maintainer accounts. The cross-platform nature of the malware underscores the importance of endpoint detection and response solutions that can identify suspicious post-install behaviors across all operating systems.

What to watch next

Security teams should monitor for any unusual post-install script activity in JavaScript packages and implement dependency verification workflows. Given Sapphire Sleet's history with multiple supply chain compromises, similar attacks against other popular package repositories are likely.

Developers should audit their dependencies for the malicious easy-day-js package and any packages published by the compromised "ehindero" account. Organizations running cryptocurrency infrastructure should review their wallet extension inventories and monitor for unauthorized access attempts.