Microsoft attributes the Mastra AI npm supply chain attack to Sapphire Sleet, a North Korean state actor: 144 packages backdoored via a hijacked contributor account, targeting LLM API keys, cloud credentials, and cryptocurrency wallets.
Profiling adversary groups targeting AI systems and leveraging AI in their operations.
Microsoft attributes the Mastra AI npm supply chain attack to Sapphire Sleet, a North Korean state actor: 144 packages backdoored via a hijacked contributor account, targeting LLM API keys, cloud credentials, and cryptocurrency wallets.
Sysdig caught a threat actor using a misconfigured Ollama instance as the reasoning engine for an automated offensive pentesting framework — a significant escalation from credential theft to weaponised AI infrastructure.
Sophos researchers uncovered an operational threat actor lab using Claude Opus 4.5, Cursor, and MCP to build and test EDR evasion malware against live Sophos, CrowdStrike, and Microsoft Defender installations.
North Korea's FAMOUS CHOLLIMA operation has expanded beyond revenue generation into systematic AI intellectual property theft, placing fake engineers inside foundation model developers, GPU cloud providers, and AI safety organisations. CrowdStrike, Microsoft, and the DOJ have documented the mechanism. The AI industry has not caught up.
A newly attributed state-sponsored threat actor is targeting AI development infrastructure to poison training datasets and embed persistent backdoors in deployed models.