North Korean Hackers Blamed for Mastra NPM Supply Chain Attack
A supply chain attack targeted the Mastra open source TypeScript framework by injecting a malicious dependency into over 140 NPM packages during a brief 45-minute window on June 17, 2026. The malicious dependency, a typosquatted library named easy-day-js, was added via a compromised maintainer account. The payload executed during package installation and targeted Windows, macOS, and Linux systems, focusing on cryptocurrency-related browser extensions. The attack is attributed to the North Korean financially motivated threat actor Sapphire Sleet. Users who installed any affected @mastra packages during the attack window are advised to consider their systems compromised and take remediation steps. No explicit patch or fixed versions are stated in the available data.
AI Analysis
Technical Summary
On June 17, 2026, the North Korean state-sponsored group Sapphire Sleet conducted a supply chain attack on the Mastra NPM ecosystem by compromising the 'ehindero' maintainer account. During a 45-minute window, they published 141 Mastra packages containing a malicious dependency named easy-day-js, a typosquat of the legitimate dayjs library. This dependency included an obfuscated postinstall dropper that fetched and executed a second-stage payload targeting Windows, macOS, and Linux systems. The malware masqueraded as node-related tools, collected system information, and targeted over 160 cryptocurrency-related browser extensions. The attack exposed any developer or CI/CD pipeline running npm install or npm update during the window, regardless of whether the malicious package was directly imported. The compromised packages have approximately 8 million weekly downloads. The attackers also published a clean version of easy-day-js from a separate account before the compromise to evade detection. Microsoft and multiple cybersecurity firms have published technical details and indicators of compromise. No specific patch or fixed versions have been disclosed.
Potential Impact
The attack potentially exposed millions of developer workstations and CI/CD pipelines that installed or updated any of the 141 compromised Mastra packages during the attack window. The malware executed during installation, enabling stealthy execution of a payload that targeted cryptocurrency browser extensions and collected system information across major operating systems. This could lead to credential theft, unauthorized access to cryptocurrency wallets, and broader system compromise. The supply chain nature of the attack means downstream applications and services depending on affected packages are at risk. The attack leveraged a compromised maintainer account, highlighting risks in package ecosystem governance.
Mitigation Recommendations
Users who installed any @mastra packages during the attack window on June 17, 2026, should consider their systems compromised. Recommended actions include removing the affected package versions, scanning systems for malware, rotating credentials, tokens, and secrets, and hardening access to cryptocurrency wallets. Since no official patch or fixed versions have been published, users should avoid installing or updating affected packages until further guidance is provided by Mastra maintainers or the NPM registry. Follow updates from Microsoft and cybersecurity firms for indicators of compromise and remediation tools.
North Korean Hackers Blamed for Mastra NPM Supply Chain Attack
Description
A supply chain attack targeted the Mastra open source TypeScript framework by injecting a malicious dependency into over 140 NPM packages during a brief 45-minute window on June 17, 2026. The malicious dependency, a typosquatted library named easy-day-js, was added via a compromised maintainer account. The payload executed during package installation and targeted Windows, macOS, and Linux systems, focusing on cryptocurrency-related browser extensions. The attack is attributed to the North Korean financially motivated threat actor Sapphire Sleet. Users who installed any affected @mastra packages during the attack window are advised to consider their systems compromised and take remediation steps. No explicit patch or fixed versions are stated in the available data.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
On June 17, 2026, the North Korean state-sponsored group Sapphire Sleet conducted a supply chain attack on the Mastra NPM ecosystem by compromising the 'ehindero' maintainer account. During a 45-minute window, they published 141 Mastra packages containing a malicious dependency named easy-day-js, a typosquat of the legitimate dayjs library. This dependency included an obfuscated postinstall dropper that fetched and executed a second-stage payload targeting Windows, macOS, and Linux systems. The malware masqueraded as node-related tools, collected system information, and targeted over 160 cryptocurrency-related browser extensions. The attack exposed any developer or CI/CD pipeline running npm install or npm update during the window, regardless of whether the malicious package was directly imported. The compromised packages have approximately 8 million weekly downloads. The attackers also published a clean version of easy-day-js from a separate account before the compromise to evade detection. Microsoft and multiple cybersecurity firms have published technical details and indicators of compromise. No specific patch or fixed versions have been disclosed.
Potential Impact
The attack potentially exposed millions of developer workstations and CI/CD pipelines that installed or updated any of the 141 compromised Mastra packages during the attack window. The malware executed during installation, enabling stealthy execution of a payload that targeted cryptocurrency browser extensions and collected system information across major operating systems. This could lead to credential theft, unauthorized access to cryptocurrency wallets, and broader system compromise. The supply chain nature of the attack means downstream applications and services depending on affected packages are at risk. The attack leveraged a compromised maintainer account, highlighting risks in package ecosystem governance.
Mitigation Recommendations
Users who installed any @mastra packages during the attack window on June 17, 2026, should consider their systems compromised. Recommended actions include removing the affected package versions, scanning systems for malware, rotating credentials, tokens, and secrets, and hardening access to cryptocurrency wallets. Since no official patch or fixed versions have been published, users should avoid installing or updating affected packages until further guidance is provided by Mastra maintainers or the NPM registry. Follow updates from Microsoft and cybersecurity firms for indicators of compromise and remediation tools.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/north-korean-hackers-blamed-for-mastra-npm-supply-chain-attack/","fetched":true,"fetchedAt":"2026-06-22T11:24:27.251Z","wordCount":1156}
Threat ID: 6a391b6beed863c81eb5b2e7
Added to database: 06/22/2026, 11:24:27 UTC
Last enriched: 06/22/2026, 11:24:33 UTC
Last updated: 06/22/2026, 12:17:39 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.