{"slug": "north-korean-hackers-poison-mastra-ai-in-npm-attack", "title": "North Korean Hackers Poison Mastra AI in npm Attack", "summary": "North Korean threat actor Sapphire Sleet compromised the Mastra AI open-source framework on June 17, 2026, by hijacking a maintainer's npm credentials and poisoning 141 packages within 88 minutes. The attack exploited the disconnect between CI/CD provenance and registry permissions, using a malicious dependency with a postinstall hook to deploy a second-stage payload. This incident highlights critical supply-chain risks in the JavaScript ecosystem, where stale maintainer access and automatic dependency resolution can be weaponized against AI development tools.", "body_md": "[Security](https://www.devclubhouse.com/c/security)Article\n\n# North Korean Hackers Poison Mastra AI in npm Attack\n\nThe compromise of the Mastra AI framework exposes critical gaps between CI/CD provenance and registry-level publish permissions.\n\n[Emeka Okafor](https://www.devclubhouse.com/u/emeka_okafor)\n\nAI frameworks have quickly become the crown jewels of modern developer environments. Because they orchestrate LLM integrations, they routinely handle highly sensitive API keys, cloud credentials, and database connection strings. This concentration of secrets has made them prime targets for sophisticated state-sponsored actors.\n\nOn June 17, 2026, Sapphire Sleet (also known as BlueNoroff), a North Korean threat actor targeting the financial and cryptocurrency sectors, executed a swift supply-chain attack against [Mastra AI](https://mastra.ai), a popular open-source JavaScript and TypeScript framework for building AI applications. By hijacking a single maintainer account, the attackers poisoned over 140 packages in the `@mastra`\n\nscope on [npm](https://www.npmjs.com) within an 88-minute window.\n\nThis attack is not just another credential-theft story. It is a masterclass in exploiting the structural seams of the modern JavaScript ecosystem: the disconnect between source-code provenance and registry publishing, the persistence of stale maintainer access, and the dangerous default behavior of package installation hooks.\n\n## The Anatomy of the 88-Minute Blitz\n\nThe compromise began not with a zero-day exploit in Mastra's code, but with classic social engineering. A threat actor posing as a contact on LinkedIn targeted \"ehindero,\" an active Mastra employee and maintainer. During a call, the maintainer clicked a suspicious link, leading to a workstation compromise and the theft of their npm credentials.\n\nThe \"ehindero\" account possessed publishing rights across the entire `@mastra`\n\nscope. Although the account had been dormant for 16 months prior to the attack, npm's lack of credential expiration meant this access remained a live, unmonitored backdoor.\n\nWith access secured, Sapphire Sleet staged the attack using a clever \"clean-then-armed\" dependency injection technique:\n\n**The Decoy**: On June 16, 2026, an anonymous account named \"sergey2016\" published`easy-day-js@1.11.21`\n\n. This was a clean, fully functional clone of the legitimate, highly popular`dayjs`\n\ndate library.**The Weaponization**: On June 17, 2026, at 1:01 AM UTC, the attacker published version`1.11.22`\n\nof`easy-day-js`\n\n. This version contained a malicious postinstall hook.**The Mass Poisoning**: Starting at 1:15 AM UTC, the compromised \"ehindero\" account mass-published updated versions of 141 packages across the`@mastra`\n\nscope. None of these packages contained malicious code directly. Instead, the attacker modified their`package.json`\n\nfiles to include`easy-day-js@^1.11.21`\n\nas a new dependency.\n\nBecause Mastra packages used caret-range dependency resolution (`^1.11.21`\n\n), any developer or CI/CD pipeline running `npm install`\n\nor `npm update`\n\nwas automatically served the weaponized `1.11.22`\n\nversion.\n\n## Inside the Postinstall Payload\n\nThe payload execution relied on npm's default execution of lifecycle scripts. When a poisoned Mastra package was installed, the transitive dependency `easy-day-js`\n\ntriggered a postinstall hook running `node setup.cjs --no-warnings`\n\n.\n\nThe execution chain proceeded in two distinct stages:\n\n**First-Stage Dropper**: The`setup.cjs`\n\nscript was a 4,572-byte obfuscated file. To evade network-level security controls, the script disabled Transport Layer Security (TLS) certificate verification. It then dropped local tracking markers (`~/.pkg_history`\n\nand`~/.pkg_logs`\n\n), contacted an attacker-controlled command-and-control (C2) server at`23.254.164[.]92:8000`\n\n, and downloaded a second-stage payload named`protocal.cjs`\n\n. The dropper then executed this payload as a detached, window-hidden Node.js process and deleted itself to minimize forensic footprints.**Second-Stage Implant**: The downloaded implant was a highly sophisticated, cross-platform information stealer designed to target Windows, macOS, and Linux. It performed extensive host reconnaissance—collecting hostnames, system architectures, running processes, and installed applications. Crucially, it targeted developer assets:**Browser History**: It extracted history and credentials from Chrome, Edge, and Brave by directly querying local SQLite databases via`node:sqlite`\n\n.**Cryptocurrency Wallets**: It specifically scanned for the presence of 166 cryptocurrency wallet browser extensions, including MetaMask, Phantom, Coinbase Wallet, Binance Wallet, and TronLink.**Persistence**: To survive reboots, the malware established platform-specific persistence mechanisms:** Windows**: A registry Run key named`NvmProtocal`\n\nthat launched a hidden PowerShell process.**macOS**: A LaunchAgent plist named`com.nvm.protocal.plist`\n\n.**Linux**: A systemd user service named`nvmconf.service`\n\n.\n\nAll exfiltrated data was sent to a secondary C2 server at `23.254.164[.]123:443`\n\nusing a spoofed User-Agent (`Mozilla/4.0 compatible; MSIE 8.0`\n\n) over a custom ICAP-style protocol.\n\n## The Developer Angle: Fixing the Provenance and Token Gap\n\nFor developers, this incident exposes a glaring security gap in how we publish and consume open-source packages.\n\n[Shadow GPS — know where it is, always Real-time GPS tracking for vehicles, gear and loved ones. No monthly contracts.](https://www.devclubhouse.com/go/ad/12)\n\nMastra's maintainers had implemented modern security best practices: they shipped official releases from CI/CD pipelines using npm's trusted publisher flow, which generated Sigstore-signed SLSA (Software Artifacts for Source Aligned) provenance attestations.\n\nHowever, npm does not *enforce* provenance by default. While Mastra's legitimate releases carried attestations, the registry still accepted the attacker's publications because they were signed with a standard personal access token. The attacker simply bypassed the CI/CD pipeline entirely, published the poisoned packages directly from the hijacked account, and dropped the provenance attestations. Because npm's client does not reject un-attested packages by default, downstream developers were none the wiser.\n\nTo defend against this class of attack, developers must implement a multi-layered defense-in-depth strategy.\n\n### 1. Enforce Signature and Provenance Verification\n\nDo not rely on the registry to block un-attested updates. You can configure your package manager or CI/CD pipelines to require valid signatures and provenance attestations. For example, you can use tools like `npm audit signatures`\n\nor integrate policy engines that reject any package in a known scope (like `@mastra`\n\n) that lacks a valid SLSA attestation linking it back to the official GitHub repository.\n\n### 2. Neutralize Postinstall Hooks\n\nThe entire execution chain of this attack relied on the postinstall hook of a transitive dependency. If your application does not strictly require install-time scripts, disable them globally or per-project.\n\nYou can disable scripts globally via your shell:\n\n```\nnpm config set ignore-scripts true\n```\n\nAlternatively, add this to your project's local `.npmrc`\n\nfile to ensure all team members and CI runners inherit the setting:\n\n```\nignore-scripts=true\n```\n\nIf certain dependencies require scripts to build native bindings, use selective tools like `allow-scripts`\n\nto whitelist only trusted packages.\n\n### 3. Audit and Remediate\n\nIf you ran `npm install`\n\nor `npm update`\n\non a project containing Mastra dependencies on June 17, 2026, your environment must be treated as compromised.\n\n**Search for Indicators of Compromise (IoCs)**: Check for the presence of the tracking files`~/.pkg_history`\n\nand`~/.pkg_logs`\n\non your system.**Check Persistence Artifacts**:- On macOS, inspect\n`/Users//Library/LaunchAgents/com.nvm.protocal.plist`\n\n. - On Linux, check for\n`~/.config/systemd/user/nvmconf.service`\n\n. - On Windows, inspect the registry path\n`HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run`\n\nfor the`NvmProtocal`\n\nkey.\n\n- On macOS, inspect\n**Rotate Credentials**: Because the second-stage implant targets browser-stored credentials and environment variables, immediately rotate all API keys, SSH keys, and cloud credentials access tokens used on the affected machine.\n\n## The Limits of Static Scanning\n\nThe Mastra supply chain attack demonstrates that static, CVE-based vulnerability scanners are no longer sufficient. Because the malicious code was introduced via a newly published, typosquatted transitive dependency (`easy-day-js`\n\n), there was no pre-existing CVE for scanners to flag. The attack was a zero-CVE event that succeeded by exploiting trust.\n\nTo counter state-sponsored actors like Sapphire Sleet, who previously targeted the Axios HTTP client in April 2026 using similar tactics, the industry must transition toward behavioral monitoring at install time. Sandboxing package installations, enforcing strict provenance verification, and treating postinstall hooks as active exploit surfaces are no longer optional security postures—they are the baseline requirements for developing in the modern AI era.\n\n## Sources & further reading\n\n-\n[Microsoft links Mastra AI supply chain attack to North Korean hackers](https://www.bleepingcomputer.com/news/security/microsoft-links-mastra-ai-supply-chain-attack-to-north-korean-hackers/)— bleepingcomputer.com -\n[From package to postinstall payload: Inside the Mastra npm supply chain compromise by Sapphire Sleet | Microsoft Security Blog](https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/)— microsoft.com -\n[Mastra npm Supply Chain Attack Backdoors 144 Packages | AI Weekly](https://aiweekly.co/alerts/mastra-npm-supply-chain-attack-backdoors-144-packages)— aiweekly.co -\n[145 Mastra npm Packages Compromised via Hijacked Contributor Account](https://thehackernews.com/2026/06/144-mastra-npm-packages-compromised-via.html)— thehackernews.com -\n[npm and Mastra AI: Hackers Compromise 140+ Mastra npm Packages to Steal Credentials](https://blog.rankiteo.com/masnpm1781699577-npm-mastra-ai-cyber-attack-june-2026/)— blog.rankiteo.com\n\n[Emeka Okafor](https://www.devclubhouse.com/u/emeka_okafor)· Security Editor\n\nEmeka has spent over a decade tracking threat actors, vulnerability disclosures, and the evolving landscape of application security, bringing a sharp continent-spanning perspective to his reporting. He's known for translating dense CVE advisories into clear, actionable context that developers and security teams alike actually read.\n\n## Discussion 0\n\nNo comments yet\n\nBe the first to weigh in.", "url": "https://wpnews.pro/news/north-korean-hackers-poison-mastra-ai-in-npm-attack", "canonical_source": "https://www.devclubhouse.com/a/north-korean-hackers-poison-mastra-ai-in-npm-attack", "published_at": "2026-06-20 15:03:31+00:00", "updated_at": "2026-06-20 15:09:42.242131+00:00", "lang": "en", "topics": ["ai-safety", "ai-tools", "ai-infrastructure", "developer-tools"], "entities": ["Sapphire Sleet", "BlueNoroff", "Mastra AI", "npm", "easy-day-js", "ehindero", "sergey2016"], "alternates": {"html": "https://wpnews.pro/news/north-korean-hackers-poison-mastra-ai-in-npm-attack", "markdown": "https://wpnews.pro/news/north-korean-hackers-poison-mastra-ai-in-npm-attack.md", "text": "https://wpnews.pro/news/north-korean-hackers-poison-mastra-ai-in-npm-attack.txt", "jsonld": "https://wpnews.pro/news/north-korean-hackers-poison-mastra-ai-in-npm-attack.jsonld"}}