North Korea's Sapphire Sleet Backdoors 145 Mastra AI Packages, and a LinkedIn Message Was the Way In
Cybersecurity

North Korea's Sapphire Sleet Backdoors 145 Mastra AI Packages, and a LinkedIn Message Was the Way In

A hijacked maintainer account seeded a typosquat called easy-day-js across 145 packages in the Mastra AI framework, dropping a crypto-stealing RAT. Microsoft pins it on North Korea's Sapphire Sleet, and the initial access was a LinkedIn call.

PublishedJuly 2, 2026
Read time5 min read
Share

Eighty-Eight Minutes to Poison an Ecosystem

On June 17, 2026, someone with control of the @mastra npm organization went to work. Over the course of 88 minutes, 145 packages across the Mastra AI framework ecosystem were republished, each quietly amended to include a new production dependency: a package called easy-day-js. Mastra is a fast-growing TypeScript framework for building AI agents, and its core package alone pulls roughly 918,000 weekly downloads. The combined weekly download count of the affected packages exceeded 1.1 million, which is the scale of exposure that turns a single compromised account into a supply-chain event with a very long reach.

The choice of dependency was deliberate deception. easy-day-js is a typosquat of dayjs, the ubiquitous JavaScript date library that appears in countless legitimate projects, and it was engineered to look boring and credible. A developer glancing at a dependency list would see something that reads like a routine date utility, not a red flag. That is the entire point of this class of attack: it hides malicious code behind a name that pattern-matches to something trustworthy, and it rides in on the automatic trust that developers extend to the packages their tools pull down.

A Two-Stage Setup Built for Credibility

The operation was patient and staged. On June 16 at 07:05 UTC, an npm user going by sergey2016 published easy-day-js version 1.11.21, a clean and fully functional copy of the real dayjs library containing no malicious code whatsoever. Its only job was to establish the package as legitimate, to build a track record and pass a casual smell test. The trap was set roughly 18 hours later, when version 1.11.22 shipped at 01:01 UTC on June 17, adding a setup.cjs payload and a postinstall hook that would execute automatically whenever the package was installed.

The payload behaved like modern criminal tooling. The postinstall dropper reached out to attacker-controlled servers to download and run a second-stage cross-platform information stealer, then deleted itself to erase evidence of what it had done. The stealer harvested browser history and data from more than 160 cryptocurrency wallet extensions, installed persistence across Windows, macOS, and Linux, and polled a command-and-control server for further instructions. This is not a smash-and-grab. It is a durable foothold on developer machines, with a clear focus on the credentials and wallets that make those machines lucrative to sit on.

Microsoft Points at Pyongyang

Microsoft attributed the campaign to Sapphire Sleet, a North Korean threat group with a documented history of targeting the financial sector and, more recently, the software supply chain. The company tied the operation to the same actor behind the April 2026 compromise of axios, one of the most widely used HTTP clients in the JavaScript ecosystem, noting matching operational patterns between the two intrusions. Microsoft was direct about motive, assessing that the primary motivation is stealing cryptocurrency wallets to generate revenue, which is consistent with the regime's long-running use of cybercrime as a funding mechanism.

That attribution reframes the incident. This is not an opportunistic prank or a lone criminal chasing a quick payout, it is a nation-state supply-chain program that has now hit two major npm packages in a matter of months and shows every sign of continuing. Sapphire Sleet is treating the open-source registry as a distribution channel, and AI frameworks as a high-value target within it. As StepSecurity observed, Mastra sits at the intersection of AI development and cloud infrastructure, making it an exceptionally high-value target, which is precisely why a state actor bothered to invest in the multi-stage tradecraft on display here.

The Way In Was a Message

For all the technical polish, the initial access was mundane, and that is the most important lesson. The compromised maintainer was a current, active Mastra employee whose machine was taken over through a social-engineering attack. A LinkedIn account reached out to him, as it did to maintainers of other prominent TypeScript open-source projects, and during a call he clicked a suspicious link. That single click handed the attackers control of a machine with npm publishing rights, and from there the poisoning of 145 packages was mechanical. No zero-day was required to get in the door.

This is the uncomfortable core of supply-chain security in 2026. The strongest link in the technical chain, an experienced maintainer of a popular framework, was defeated by a targeted message and a plausible pretext. Sapphire Sleet has industrialized exactly this approach, using recruiter-style LinkedIn outreach to reach the small number of people who hold publishing keys to widely used code. Every organization that maintains open-source packages, or that employs people who do, should treat their maintainers as high-value targets deserving of the same protection as executives and administrators, because attackers already do.

Provenance That Was Optional Is Provenance That Failed

There is a control that could have blunted this attack, and it is worth studying because Mastra almost had it. According to the security firm SafeDep, Mastra generated build provenance on its continuous-integration publishes but did not require it, so a standard npm token could still publish packages without attestations. In other words, the project had the machinery to prove that a package was built by its legitimate pipeline, but it did not enforce that proof. An attacker with a stolen token could therefore publish directly, bypassing the very system designed to establish trust, and nothing stopped the bad versions from going live.

The takeaway for anyone maintaining packages is to make provenance mandatory, not aspirational. Attestations, hardware-backed tokens or two-factor requirements on publish, and CI-only publishing pipelines that reject anything lacking a valid build signature are the controls that turn a stolen credential from a catastrophe into a blocked attempt. For consumers of open-source code, the defenses are equally concrete: pin dependencies, scrutinize new transitive additions like easy-day-js, and disable install scripts by default so a postinstall hook cannot fire the moment a package lands. The Mastra compromise is a template, and Sapphire Sleet has shown it intends to reuse it.

Tagged#news#security#cybersecurity#supply-chain#ai-security#npm