North Korea Poisons 144 AI Framework npm Packages in 88 Minutes

On June 17, 2026, North Korea’s Sapphire Sleet group pulled off one of the more alarming supply chain operations in recent memory: 144 packages in the @mastra npm scope backdoored in under 90 minutes, with credential-stealing malware targeting every developer who ran npm install during the window. Microsoft attributed the attack with high confidence on June 19, linking it to the same group behind a prior assault on the Axios HTTP client in March.

For anyone building with AI agent frameworks, this one deserves careful attention.

What Happened

Mastra is a TypeScript AI agent framework — one of the more popular options in the @mastra npm scope, used across agentic workflow projects and LLM integration pipelines. The attack began with classic social engineering: a current Mastra employee received an approach via LinkedIn that led to a convincing lure and, eventually, execution of an attacker payload on their workstation. Once Sapphire Sleet had the employee’s npm credentials, the rest took 88 minutes.

The group published malicious updates to 144 packages in the @mastra scope, injecting a typosquatted dependency: easy-day-js, designed to look like the legitimate dayjs date library. Any project pulling down those updated packages triggered a postinstall hook. The hook, obfuscated to evade casual inspection, disabled TLS verification, connected to attacker-controlled infrastructure, pulled a second-stage cross-platform payload, and established persistence using OS-appropriate mechanisms: registry Run keys on Windows, LaunchAgents on macOS, systemd services on Linux.

What It Was After

The payload’s target list reads like a map of what sits in a typical AI developer’s environment. It enumerated:

• Browser-stored credentials and authentication tokens
• Environment variables, which is where most developers store LLM API keys and cloud provider credentials
• 166 cryptocurrency wallet browser extensions, including MetaMask, Phantom, Coinbase Wallet, Binance Wallet, and TronLink
• Running processes and installed applications

This is Sapphire Sleet’s profile in precise form. The group, also known as BlueNoroff and linked to the Lazarus cluster, has historically focused on cryptocurrency theft and financial credential collection. But the explicit inclusion of LLM API keys signals something important: AI development environments are now a recognised priority target, not an incidental one.

LLM API billing credentials are valuable in their own right, and they have appeared in secondary criminal markets and LLMjacking operations. Beyond that, cloud credentials stored in developer environments can provide access to production infrastructure far beyond the developer’s local machine.

Attribution and the Broader Pattern

Microsoft matched this attack to Sapphire Sleet based on PowerShell backdoor signatures, command-and-control infrastructure overlap, and tradecraft that mirrors the March 2026 Axios attack. That incident used the same social-engineering-then-account-compromise-then-postinstall-hook chain against a different package maintainer.

Two incidents with the same method, the same payload family, and the same credential targets make a campaign, not a coincidence. Sapphire Sleet is methodically working through the npm maintainer network, finding accounts with broad publishing access, and weaponising them.

The 88-minute execution window is deliberate: npm’s security scanning and automated abuse detection has improved considerably, and threat actors have responded by compressing the time between account access and malicious publication. By the time automated scanning flagged the updates, the exposure window had already opened.

What AI Developers and Security Teams Should Do

If your projects use any @mastra scoped packages and you ran npm install during June 16-17, treat every credential accessible from those development machines as potentially compromised. Start with LLM API keys, cloud provider credentials, and anything stored in environment variables, then extend to browser-stored passwords and any cryptocurrency wallets accessible from those machines.

npm removed the malicious package versions after disclosure. The risk now is cached installs in CI/CD pipelines and developer laptops that haven’t been rebuilt since the exposure window. Check package-lock.json files for @mastra packages from that period and audit your CI environment’s credential exposure.

More broadly, this is a reminder that npm postinstall hooks execute arbitrary code with the permissions of the installing user, and that package maintainer accounts are a weak link regardless of the package’s own code quality. Lockfile integrity checking in CI, npm provenance verification where supported, and supply chain monitoring for high-value AI framework dependencies are all worth implementing if they aren’t already.

References

• Microsoft Security Blog: From package to postinstall payload: Inside the Mastra npm supply chain compromise by Sapphire Sleet
• BleepingComputer: Microsoft links Mastra AI supply chain attack to North Korean hackers
• The Hacker News: 144 Mastra npm Packages Compromised via Hijacked Contributor Account
• SecurityWeek: North Korean Hackers Blamed for Mastra NPM Supply Chain Attack