Microsoft Links Mastra AI Supply Chain Attack to North Korean Hackers

On June 17, 2026, Microsoft published a detailed attribution report linking a sophisticated supply chain attack against the Mastra AI framework's npm ecosystem to Sapphire Sleet — a North Korean state-sponsored threat actor also tracked as BlueNoroff, UNC1069, and STARDUST CHOLLIMA. The group, active since at least March 2020, specializes in targeting the finance and cryptocurrency sectors for theft and intelligence collection.

The Attack: Hijacked Contributor, Armed Typosquat

The intrusion exploited a systemic weakness in npm's security model: stale maintainer credentials. A former contributor to the @mastra scope — account ehindero — had their publish permissions never revoked after becoming inactive. Sapphire Sleet gained control of this account and used it as the initial foothold.

The attack unfolded in two stages:

June 16: A clean, legitimate-looking package easy-day-js@1.11.21 was published as a byte-for-byte imitation of the popular dayjs date library. This "clean" version established the package's presence and download history without triggering security tooling.
June 17, 01:12–02:39 UTC: An 88-minute automated campaign published easy-day-js@1.11.22 — the weaponized version tagged as latest. Because 1.11.22 satisfies the ^1.11.21 semver range that would appear in package.json lockfiles, any npm install or npm update during this window silently resolved to the malicious version. The attacker then republished 142 packages across the entire @mastra npm scope — including the top-level mastra and create-mastra packages — each injected with easy-day-js as a dependency.

Payload: Information Stealer via postinstall Hook

The malicious easy-day-js@1.11.22 package used a postinstall npm lifecycle hook to execute an obfuscated dropper immediately upon package installation. The dropper:

Disabled TLS certificate verification before making outbound connections
Contacted attacker-controlled C2 infrastructure hosted via Hostwinds
Downloaded a second-stage cross-platform information stealer targeting Windows, Linux, and macOS
Executed the stealer as a detached, hidden background process and self-deleted to minimize forensic artifacts

The stealer harvested a broad set of high-value data: host enumeration, browser history and saved credentials, installed application lists, API keys, OAuth tokens, and cryptocurrency wallet data — consistent with Sapphire Sleet's financial theft mandate.

Scale and Impact

The compromised packages collectively represented over 1.1 million combined weekly downloads. The highest-impact single package — @mastra/core — had approximately 918,000 weekly downloads alone. Any developer workstation or CI/CD pipeline that executed npm install while the poisoned versions were live was potentially compromised, regardless of whether they directly imported the injected dependency.

The npm security team removed the malicious packages and revoked the attacker's publishing access following Microsoft's disclosure. The incident mirrors a prior Axios npm compromise in April 2026, also attributed to Sapphire Sleet, using the same Hostwinds infrastructure and clean-then-armed typosquatting technique.

Systemic Risk: Stale npm Credentials

The root enabler of this attack — inactive maintainer accounts retaining publish permissions indefinitely — is a known and unresolved weakness across the npm registry. Unlike SaaS platforms that expire inactive accounts or rotate credentials on inactivity, npm has no automated mechanism to revoke publish access when a contributor stops participating in a project.

Recommended Mitigations

Audit your npm lockfiles for any dependency on easy-day-js or @mastra/* packages installed between June 16–17, 2026
Rotate all credentials, API keys, and OAuth tokens on any system that ran npm install in the affected window
Enable npm provenance attestations for your own published packages and prefer packages with published provenance when adding dependencies
Scan CI/CD environments for indicators of the stealer payload; check for unexpected outbound connections to Hostwinds IP ranges
Implement a dependency review gate in CI that flags new or updated transitive dependencies for manual review before installation
Treat postinstall hooks as high-risk: consider using --ignore-scripts in locked CI environments and review scripts fields in all direct and transitive dependencies

The Attack: Hijacked Contributor, Armed Typosquat

The attack unfolded in two stages:

June 16: A clean, legitimate-looking package easy-day-js@1.11.21 was published as a byte-for-byte imitation of the popular dayjs date library. This "clean" version established the package's presence and download history without triggering security tooling.

June 17, 01:12–02:39 UTC: An 88-minute automated campaign published easy-day-js@1.11.22 — the weaponized version tagged as latest. Because 1.11.22 satisfies the ^1.11.21 semver range that would appear in package.json lockfiles, any npm install or npm update during this window silently resolved to the malicious version. The attacker then republished 142 packages across the entire @mastra npm scope — including the top-level mastra and create-mastra packages — each injected with easy-day-js as a dependency.

Payload: Information Stealer via postinstall Hook

The malicious easy-day-js@1.11.22 package used a postinstall npm lifecycle hook to execute an obfuscated dropper immediately upon package installation. The dropper:

Disabled TLS certificate verification before making outbound connections

Contacted attacker-controlled C2 infrastructure hosted via Hostwinds

Downloaded a second-stage cross-platform information stealer targeting Windows, Linux, and macOS

Executed the stealer as a detached, hidden background process and self-deleted to minimize forensic artifacts

Scale and Impact

Systemic Risk: Stale npm Credentials

Recommended Mitigations

Audit your npm lockfiles for any dependency on easy-day-js or @mastra/* packages installed between June 16–17, 2026

Rotate all credentials, API keys, and OAuth tokens on any system that ran npm install in the affected window

Enable npm provenance attestations for your own published packages and prefer packages with published provenance when adding dependencies

Scan CI/CD environments for indicators of the stealer payload; check for unexpected outbound connections to Hostwinds IP ranges

Implement a dependency review gate in CI that flags new or updated transitive dependencies for manual review before installation

Treat postinstall hooks as high-risk: consider using --ignore-scripts in locked CI environments and review scripts fields in all direct and transitive dependencies

Microsoft Links Mastra AI Supply Chain Attack to North Korean Hackers

The Attack: Hijacked Contributor, Armed Typosquat

Payload: Information Stealer via postinstall Hook

Scale and Impact

Systemic Risk: Stale npm Credentials

Recommended Mitigations

Lazarus Group Plants 192 Malicious Packages in npm and PyPI

Fake Microsoft Security Alerts Used to Deploy North Korean NarwhalRAT Malware

Why the Axios Attack Proves AI Is Mandatory for Supply

Microsoft Links Mastra AI Supply Chain Attack to North Korean Hackers

The Attack: Hijacked Contributor, Armed Typosquat

Payload: Information Stealer via postinstall Hook

Scale and Impact

Systemic Risk: Stale npm Credentials

Recommended Mitigations

Lazarus Group Plants 192 Malicious Packages in npm and PyPI

Fake Microsoft Security Alerts Used to Deploy North Korean NarwhalRAT Malware

Why the Axios Attack Proves AI Is Mandatory for Supply