Microsoft has attributed a recent supply chain attack targeting the Mastra AI ecosystem to the North Korean hacking group, tracked as Sapphire Sleet and BlueNoroff.
Sapphire Sleet is a North Korean state-sponsored threat actor known for cryptocurrency theft, fake job scams, malicious browser extensions, and software supply chain attacks. Microsoft also linked the group to a separate npm supply chain attack targeting the Axios HTTP client in April 2026.
Mastra AI supply-chain attack took place last week, when attackers had compromised the npm account of a maintainer named ‘ehindero,’ who had publishing access to the Mastra package environment. The attackers then released malicious updates to more than 140 packages in the @mastra scope.
The compromised packages included a fake dependency called ‘easy-day-js,’ designed to mimic the popular JavaScript library dayjs. When installed, the malicious package executed code that downloaded and launched malware on developers' systems.
According to Microsoft, the malware was capable of stealing credentials, API keys, authentication tokens, browser data, and cryptocurrency wallet information. It targeted Windows, Linux, and macOS devices and checked if cryptocurrency wallet extensions are present, including MetaMask, Phantom, Coinbase Wallet, Binance Wallet, and TronLink.
The malware also established persistence using operating system-specific techniques, such as Windows Registry Run keys, macOS LaunchAgents, and Linux systemd services.
Microsoft said systems that connected to the attackers' command-and-control infrastructure showed activity similar to previous Sapphire Sleet operations, including a known PowerShell backdoor and additional persistence tools.