Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Supply Chain June 23, 2026

North Korea Poisoned 141 npm Packages via Mastra AI in 45 Minutes

5 min read · Security News

Key Takeaways

  • • On June 17, 2026, North Korean group Sapphire Sleet compromised npm maintainer account "ehindero" and poisoned 141 @mastra packages in 45 minutes
  • • The attack injected "easy-day-js" — a typosquat of the legitimate dayjs library — as a dependency with a malicious postinstall hook
  • • The hook downloaded second stage malware targeting browser histories, 166 crypto wallet extensions, installed apps, and system data
  • • Mastra is a popular TypeScript framework for building AI agents, making its npm maintainer a high value account to compromise
  • • Sapphire Sleet ran an identical attack on the Axios HTTP client in April 2026 — this is a pattern, not a one-off incident
North Korean hacker compromising npm supply chain packages targeting AI developers

The Attack: 141 Packages Poisoned in 45 Minutes

On June 17, 2026, attackers compromised the npm account "ehindero" — a maintainer with publishing rights across the @mastra package scope — and used it to push malicious updates to 141 packages within a 45-minute window. Microsoft attributed the campaign to Sapphire Sleet, a North Korean state sponsored threat actor also known as BlueNoroff, on June 19.

The poisoned packages each included a new dependency: "easy-day-js," a typosquat designed to impersonate the widely used dayjs date library. Any developer who ran npm install on a @mastra package in that window would silently pull in the malicious dependency as part of their normal build process.

The 45-minute window was deliberate. The attackers published all 141 packages in rapid succession, exploiting the brief gap between publication and the npm security team's ability to detect and remove the malicious versions. By the time the attack was identified and the packages were pulled, the malicious code had already been distributed to any developer or CI/CD pipeline that ran an install during that window.

What the Postinstall Hook Did

The attack's technical payload was hidden inside a postinstall hook in the easy-day-js package. This is a legitimate npm feature that runs a script automatically after a package is installed — commonly used for compiling native modules or setting up configuration. Sapphire Sleet abused it to execute malware without any explicit user action beyond npm install.

The hook ran an obfuscated dropper script that performed four actions:

  1. Disabled TLS certificate verification on the machine — allowing the malware to connect to command and control servers without certificate errors flagging the connection.
  2. Connected to attacker controlled command and control infrastructure to retrieve a second stage payload.
  3. Executed the second stage payload as a hidden detached process, invisible in the terminal session that ran the install.
  4. Persisted across sessions, continuing to run and exfiltrate data after the terminal was closed.

The second stage payload was cross platform — it ran on Windows, Linux, and macOS — and targeted browser histories, installed applications, running processes, host system information, and 166 cryptocurrency wallet browser extensions including MetaMask, Phantom, Coinbase Wallet, Binance Wallet, and TronLink.

Why Mastra Was the Target

Mastra is a TypeScript framework for building AI agents and workflows. It has seen rapid adoption among developers building production AI applications, particularly teams working with large language model integrations. At the time of the attack, the @mastra scope on npm contained over 140 packages covering agent orchestration, memory management, tool calling, and model connectors.

The choice of target reflects Sapphire Sleet's strategy. By compromising a framework used by AI developers — who tend to work at financial institutions, crypto companies, and well-funded startups — the group gains access to machines likely to have cryptocurrency wallet extensions installed and browser sessions authenticated to high-value financial services.

Compromising a single npm maintainer account rather than the packages directly is also more efficient. One compromised credential unlocks publishing rights across the entire @mastra scope, multiplying the blast radius without requiring the attacker to compromise 141 separate accounts.

Sapphire Sleet: North Korea's Financial Theft Unit

Sapphire Sleet, tracked by Microsoft under that name and by other security vendors as BlueNoroff, is a North Korean state sponsored actor with a specific mandate: generate revenue for the North Korean government through cryptocurrency theft. The group is distinct from Lazarus Group and operates with a narrower focus on financial systems.

Known tactics include malicious browser extensions that harvest crypto wallet seeds, fake job offers designed to lure developers into running malicious code under the guise of a technical interview, and supply chain compromises. The Mastra attack is the group's second documented npm supply chain attack in 2026 — in April, Microsoft linked Sapphire Sleet to a nearly identical compromise of the Axios HTTP client library, which is one of the most downloaded npm packages with over 300 million weekly installs.

The pattern — identify a widely used package or framework, compromise a maintainer account, inject a postinstall hook, collect crypto wallet data — has now been used at least twice in rapid succession. It is a template, not an experiment.

Browser Histories and Email Sessions

Browser histories are among the data types the second stage malware targeted. This is not incidental — browser history on a developer's machine often contains authenticated session data for email accounts, internal dashboards, GitHub, cloud providers, and financial services. The history file itself reveals which services the developer uses and has recent sessions on.

Combined with browser cookies harvested from the same session, an attacker can reconstruct active Gmail, Outlook, or Slack sessions without knowing the developer's password. The effect is identical to the session cookie theft documented in last week's 24 billion credential dump — authenticated inbox access without triggering a login event.

This is also why reducing your email tracking surface matters even for technically sophisticated users. Senders who embed tracking pixels in email build a behavioral profile of your inbox that layers on top of whatever the attacker already knows from stolen browser histories and credentials.

What Developers Should Do

If you installed any @mastra package on or around June 17, 2026, treat the machine as potentially compromised and take these steps:

  • Audit your npm install logs — Check npm audit and review your package-lock.json for easy-day-js. If present, you were affected.
  • Revoke and rotate credentials — Change passwords and revoke API tokens for all services accessible from that machine: GitHub, AWS, GCP, npm, financial accounts, email.
  • Invalidate browser sessions — Sign out of all services and force session invalidation where the provider supports it. Gmail users can review active sessions at myaccount.google.com/security.
  • Move cryptocurrency assets — If you had any crypto wallet extension installed, move assets to a new wallet generated on a clean machine. Treat any seed phrase that touched the compromised machine as exposed.
  • Disable postinstall hooks in CI/CD — Set ignore-scripts=true in your .npmrc in production build environments. Postinstall hooks are rarely needed in CI and this eliminates the primary delivery mechanism for this class of attack.

The Broader Lesson

The Mastra attack and the April Axios attack share the same architecture: compromise a maintainer account, inject a dependency, exploit the postinstall lifecycle, target cryptocurrency wallets and browser sessions. The only variable is the package. As long as npm maintainers are protected only by password authentication with no mandatory MFA requirement, this attack is infinitely repeatable against any package with a vulnerable maintainer account.

Microsoft's recommendation is predictable but accurate: npm maintainers of popular packages should enable MFA immediately, rotate access tokens, and review authorized publishing workflows. The npm registry now supports hardware security keys. For the packages developers depend on daily, whether that is Axios, Mastra, or any other — knowing who controls the maintainer accounts and what authentication those accounts use has become part of the software supply chain due diligence that security teams need to track.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.