Eighty-Eight Minutes to Own an Ecosystem
On June 17, a state-sponsored crew needed less than an hour and a half to compromise an entire corner of the JavaScript AI ecosystem. Working through an npm account belonging to a former Mastra contributor known as ehindero, attackers published malicious updates to more than 140 packages in the @mastra scope, the package namespace behind the popular Mastra AI agent framework. By the time the dust settled, 144 packages had been backdoored in a single automated spree that researchers timed at roughly 88 minutes. The speed is the story: this was not a careful, hand-crafted operation but an industrialized takeover, scripted to monetize access the instant it was obtained.
Two days later, Microsoft Threat Intelligence put a name to it. The company attributed the campaign with high confidence to Sapphire Sleet, the North Korean state actor more widely known as BlueNoroff and tracked elsewhere as APT38, a group historically focused on financial theft. Microsoft pointed to persistent tradecraft markers it has long associated with the group, including PowerShell backdoors, custom persistence mechanisms, and command-and-control infrastructure seen in earlier operations. Crucially, Microsoft also tied the same actor to an April 2026 supply chain attack against the Axios npm package, framing the Mastra incident not as a one-off but as part of a sustained campaign against the developer supply chain.
The Credential That Was Never Revoked
The root cause is almost embarrassingly mundane, and that is what makes it worth dwelling on. The ehindero account belonged to a real former Mastra contributor whose publishing rights across the entire @mastra scope had never been revoked, even though the account had been dormant since early 2025. A single stale credential was all that stood between Sapphire Sleet and 144 packages, and those packages carried a combined weekly download count exceeding 1.1 million. There was no clever zero-day, no novel cryptographic break, just an old set of keys left in a lock that nobody remembered to change after the locksmith moved on.
We have argued repeatedly that identity is the real perimeter of the software supply chain, and the Mastra compromise is a near-perfect proof of that thesis. Open-source projects accumulate maintainers and contributors over years, grant publishing rights generously to keep velocity high, and almost never run the unglamorous offboarding process that would claw those rights back when people drift away. Every one of those lingering grants is a standing invitation, and attackers have figured out that hijacking a forgotten maintainer account is cheaper and quieter than finding a memory-corruption bug. The hard part for defenders is that this risk is invisible until it is catastrophic.
Inside the Payload
The malicious updates injected a new dependency called easy-day-js, a typosquat dressed up to evoke the legitimate and ubiquitous dayjs date library so that a casual glance at a dependency list would not raise alarms. Once installed, easy-day-js fired a postinstall hook that executed an obfuscated dropper script, disabled Transport Layer Security certificate verification, contacted attacker-controlled command-and-control infrastructure, downloaded a second-stage payload, and launched it as a detached hidden process. The use of the postinstall lifecycle hook is a recurring theme in npm attacks because it runs automatically during installation, before a developer ever imports or executes the package, turning a routine npm install into code execution.
The second stage was a cross-platform information stealer that ran on Windows, Linux, and macOS, and its shopping list reveals the operators' priorities. The malware collected host information, browser histories, lists of installed applications, and running processes, and it specifically probed for 166 cryptocurrency wallet browser extensions including MetaMask, Phantom, and Coinbase Wallet. That focus is consistent with Sapphire Sleet's financial mandate: this was not espionage for its own sake but a pipeline pointed at developer machines and the crypto assets and credentials they hold. Developer laptops are now front-line targets precisely because they sit upstream of so much else.
Why the AI Angle Matters
It is not an accident that the target was an AI agent framework. Mastra sits in one of the fastest-growing, least-mature segments of the software world, where teams are racing to ship autonomous agents and pulling in dependencies faster than they can vet them. AI tooling repositories combine high adoption velocity with thin security hygiene, and that combination is catnip for an actor optimizing for reach. By poisoning the framework rather than a single application, Sapphire Sleet positioned itself to reach every downstream team building on Mastra, a leverage ratio that no direct attack on those teams could match.
For enterprises now embedding AI agents into production, the implication is direct: the supply chain risk you inherited from npm does not get smaller as you adopt AI frameworks, it gets larger, because these frameworks are newer, change faster, and carry deeper transitive dependency trees. The same hype that drives adoption suppresses the boring scrutiny that would catch a typosquatted easy-day-js before it shipped. We would caution any technology leader treating an AI framework as production-critical to apply the same provenance and review standards they would demand of any other load-bearing dependency, and probably stricter ones given the velocity.
What Defenders Should Do Now
The immediate hygiene is straightforward. Audit your dependency tree for any @mastra packages installed or updated around June 17, pin to known-good versions, and treat any developer or build machine that ran an affected install as potentially compromised given the postinstall execution path. Because the payload disabled TLS verification and reached out to external command-and-control, network logs from build agents and developer endpoints are a useful place to hunt for the telltale outbound connections. Rotating credentials that lived on exposed machines, especially cloud and npm publishing tokens, should be assumed necessary rather than optional.
The durable fix, though, is governance, not incident response. Organizations should disable postinstall scripts by default in their package managers where feasible, require provenance and signed publishing for critical dependencies, and pressure the ecosystems they depend on to expire dormant maintainer credentials automatically. The Mastra attack succeeded because a publishing right outlived the person who earned it, and that pattern repeats across thousands of open-source projects right now. Until the npm ecosystem treats stale maintainer access as the standing liability it is, an 88-minute takeover remains a repeatable play, and the next forgotten account is already out there waiting to be found.
