North Korean Sapphire Sleet Group Behind Mastra AI Supply Chain Attack, Microsoft Says

Microsoft has attributed a large-scale supply chain attack targeting Mastra, an open-source TypeScript framework for building AI-powered applications, to the North Korean state-sponsored hacking group Sapphire Sleet. The attack compromised over 140 packages across the npm registry, the world's largest JavaScript code-sharing platform.

According to Microsoft's Defender Security Research Team and Threat Intelligence, the campaign was observed on June 19 and assessed with high confidence to be the work of Sapphire Sleet, a group also tracked as APT38, BlueNoroff, Stardust Chollima, and TA444. The attackers took over an npm maintainer account and abused its publishing privileges to inject poisoned versions of Mastra code containing a malicious dependency called easy-day-js.

How the Attack Worked

The poisoned packages disabled Transport Layer Security (TLS) certificate verification, allowing the malware to contact an attacker-controlled command-and-control (C2) server. The server then delivered a payload capable of running on Windows, macOS, and Linux systems. The malware searched for 166 cryptocurrency wallet browser-extension IDs, including MetaMask, Phantom, Coinbase Wallet, Binance Wallet, and TronLink, with the intent to steal funds. It also collected browser history, hostname, architecture, platform, user ID, installed applications, and running processes.

• Over 140 Mastra packages on npm were affected by the supply chain compromise.
• The malicious dependency easy-day-js was added to poisoned package versions.
• Attackers targeted developers by compromising a maintainer account with publishing privileges.
• The malware payload was delivered to Windows, macOS, and Linux systems.
• 166 cryptocurrency wallet browser-extension IDs were targeted for theft.

Implications and Mitigation

Microsoft noted that Sapphire Sleet has a history of using social engineering on LinkedIn to target individuals in the financial, blockchain, and cryptocurrency sectors. The company did not disclose how the maintainer account was taken over but advised organizations to review dependency trees for direct or transitive use of affected @mastra packages at compromised versions. It also recommended checking for easy-day-js in node_modules or package-lock.json files, and pinning known-good package versions. For Mastra, version 1.13.0 and earlier are unaffected; for @mastra/core, version 1.42.0 and earlier are safe.

This attack underscores the growing risk of supply chain compromises targeting AI development tools. As AI frameworks become more widely adopted, threat actors are increasingly exploiting the trust developers place in open-source dependencies. Organizations using Mastra should immediately audit their npm dependencies and apply the mitigations outlined by Microsoft to prevent potential cryptocurrency theft and data exfiltration.