Microsoft links Mastra AI offer chain assault to North Korean hackers
Cyber investigation
Microsoft has attributed a recent Mastra AI offer chain assault that compromised extra than 140 npm programs to the North Korean hacking community Sapphire Sleet, often acknowledged as BlueNoroff.
This attribution comes after Microsoft first disclosed earlier this week that attackers hijacked an npm maintainer fable and ragged it to put up malicious kit updates.
“Microsoft assesses with high confidence that this activity is attributable to Sapphire Sleet, a North Korean state actor that primarily targets the financial sector,” the corporate acknowledged in a June 19 update.
In maintaining with Microsoft, the assault began when threat actors compromised the npm maintainer fable “ehindero,” which had publishing privileges across the Mastra kit ambiance.
Using the fable, the attackers published malicious updates for added than 140 programs in the @mastra scope that injected a malicious dependency named “easy-day-js”. This dependency is a typosquat of the legit and broadly ragged dayjs JavaScript library.
When the compromised programs had been achieve in, the malicious dependency done a post-install hook that deployed a malware dropper on builders’ devices, in the spoil aimed at stealing sensitive credentials, API keys, authentication tokens, and cryptocurrency wallets.
“Once installed, easy-day-js triggered a postinstall hook that executed an obfuscated dropper script, disabled Transport Layer Security (TLS) certificate verification, contacted attacker-controlled command-and-control (C2) infrastructure, downloaded a second-stage payload, and executed the payload as a detached hidden process,” explains Microsoft.
The downloaded 2nd-stage payload modified into once a contaminated-platform records stealer designed to goal House windows, Linux, and macOS systems
The implant composed records referring to the host, browser histories, achieve in capabilities, and running processes, and checked whether 166 cryptocurrency pockets browser extensions had been achieve in, alongside with MetaMask, Phantom, Coinbase Pockets, Binance Pockets, and TronLink.
The malware additionally ragged utterly different persistence programs searching on the working system, equivalent to House windows Registry Hurry keys, macOS LaunchAgents, and Linux systemd companies and products.
Mastra npm offer chain compromise Offer: Microsoft
Microsoft says systems that communicated with the attackers’ pronounce-and-support a watch on servers had follow-on job that utilized ways previously associated with Sapphire Sleet.
This comprises the deployment of a PowerShell backdoor previously ragged by the community, extra persistence mechanisms, Microsoft Defender exclusions, and a malicious House windows carrier that granted SYSTEM privileges.
“The PowerShell backdoor, tradecraft, and C2 infrastructure have been used by Sapphire Sleet in other, prior campaigns,” Microsoft outlined.
Microsoft says the community modified into once additionally accountable for a separate npm offer chain assault on the Axios HTTP client in April 2026.
