Subscribe to the Non-Human & AI Identity Journal

Mastra npm Supply Chain Attack: North Korea’s Sapphire Sleet Backdoors 144 AI Packages in 88 Minutes

On 17 June 2026, North Korea’s Sapphire Sleet hacking group executed one of the most precisely engineered software supply chain attacks ever documented against an AI developer ecosystem. In an 88-minute automated campaign, attackers compromised 144 npm packages in the Mastra AI framework — a popular TypeScript framework for building AI agents and RAG pipelines — by exploiting a single stale contributor account that had never had its publish permissions revoked. Any developer who ran npm install during that window may have installed a cross-platform information-stealing trojan that targeted LLM API keys, cloud provider credentials, CI/CD secrets, and cryptocurrency wallets. The payload executed at install time and then deleted itself, leaving no trace.

What Happened

Mastra is an open-source TypeScript framework with over 1.1 million weekly npm downloads at the time of the attack, used extensively by developers building AI agents, RAG pipelines, and LLM-powered applications. Because Mastra applications routinely handle LLM API keys, cloud credentials, and CI/CD tokens, the framework’s npm scope represented an exceptionally high-value credential surface for a state-sponsored actor focused on financial theft.

The attack was a two-account operation, separating credential access from weaponisation:

The first account, sergey2016, published [email protected] on 16 June 2026 — a clean, fully functional clone of the legitimate dayjs date library with identical metadata, author name, homepage, repository URL, license, and version numbering. Its only purpose was to look credible and establish a benign version history.

The second phase began at 01:01 UTC on 17 June 2026. Account sergey2016 published [email protected] containing a weaponised postinstall hook with an obfuscated dropper script. Eleven minutes later, at 01:12 UTC, the attacker used compromised credentials for ehindero — a legitimate former Mastra contributor whose organisational scope publish access had never been revoked after they stopped contributing — to begin republishing packages across the entire @mastra npm namespace. Each package received easy-day-js as an injected dependency pinned as "^1.11.21". Because npm resolves caret-range pins to the latest matching version at install time, any fresh install automatically downloaded and executed the malicious 1.11.22.

The full campaign timeline:

  • June 16, 2026 07:05 UTC: [email protected] published — clean bait version
  • June 17, 2026 01:01 UTC: [email protected] published — malicious payload live
  • June 17, 2026 01:12-02:39 UTC: 88-minute automated campaign — 144 @mastra packages republished with malicious dependency
  • June 17, 2026 ~01:07 UTC: Microsoft Threat Intelligence observes [email protected]
  • June 17, 2026: Socket flags the malicious package within six minutes of publication
  • June 17, 2026: npm security team removes the malicious packages and revokes ehindero account access
  • June 19, 2026: Microsoft Threat Intelligence attributes campaign to Sapphire Sleet with high confidence

How It Happened

The attack exploited two structural failures in npm’s security architecture simultaneously:

Stale scope publish permissions. npm does not expire or revoke publish access when a contributor stops contributing to a project. The ehindero account had not published packages for the @mastra organisation in some time, yet its publish rights remained fully active and usable. This is the same failure that enabled the Shai Hulud campaign, the Reviewdog GitHub Action supply chain attack, and dozens of other npm supply chain incidents: contributor offboarding never includes credential revocation.

Caret-range dependency resolution. npm’s default semantic versioning resolution — the ^ prefix – automatically upgrades to the latest matching version at install time. Pinning "easy-day-js": "^1.11.21" meant that any npm install after 1.11.22 was published would automatically pull the weaponised version, even on machines that had previously installed cleanly. The bait version was the setup; the malicious version was deployed through auto-upgrade.

The second-stage payload — a cross-platform Node.js RAT — was delivered to developer machines and CI/CD environments that ran npm install during the exposure window. Once installed, the payload:

  • Established OS-level login persistence on Windows, macOS, and Linux
  • Inventoried 166 cryptocurrency wallet browser extensions including MetaMask, Phantom, Coinbase, and Binance
  • Harvested browser history and saved credentials from Chrome, Brave, and Edge
  • Exfiltrated cloud provider credentials: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AZURE_TENANT_ID, and GCP credentials
  • Targeted LLM API keys: OPENAI_API_KEY, ANTHROPIC_API_KEY, GOOGLE_API_KEY
  • Exfiltrated npm tokens, GitHub tokens, and CI/CD secrets
  • Opened a remote module execution channel for arbitrary follow-on commands
  • Exfiltrated all collected data to 23.254.164.92 and 23.254.164.123 over port 443
  • Deleted itself to remove evidence of the initial infection

The payload carried no CVE. Zero vulnerability scanners had any detection surface during active exploitation. Behavioural tools – Socket, JFrog Curation, StepSecurity Harden-Runner, flagged it within minutes. Static analysis tools did not.

Microsoft linked the attack to the Mastra campaign alongside a near-identical April 2026 campaign targeting the Axios HTTP client, a JavaScript library with 70 million weekly downloads, using the same tradecraft. The two campaigns are now assessed as part of a documented operational series against the AI developer toolchain.

Impact

The @mastra/core package alone received over 918,000 weekly downloads. The full @mastra namespace exposed to the attack had combined weekly downloads exceeding 1.1 million. Any developer workstation, CI/CD runner, or build system that executed npm install after 01:01 UTC on 17 June 2026 and before the malicious packages were removed was potentially exposed.

The target credential classes are among the most valuable in modern software infrastructure: LLM API keys, cloud provider master credentials, npm publishing tokens, and GitHub access tokens. A single compromised AI developer machine can yield access to production cloud environments, source code repositories, active CI/CD pipelines, and thousands of dollars in daily AI API spend.

Microsoft confirmed attribution to Sapphire Sleet, a North Korean state actor whose primary mandate is generating hard currency for the regime through cryptocurrency theft and financial system exploitation. Snyk, Orca, and Socket independently linked the campaign tradecraft to Sapphire Sleet / BlueNoroff.

What This Means for NHI Governance

The Mastra attack is a precision strike against the AI developer NHI surface. Mastra is used specifically for building AI agents — systems that hold LLM API keys, cloud credentials, and tool access as part of their operational design. Attacking the framework that builds agents is an attack on the credentials those agents carry.

The NHI governance failures this campaign exploited:

  • No contributor credential offboarding: The ehindero account’s publish access was a zombie credential — active, valid, and completely unmonitored long after the human behind it had stopped using it. NHI offboarding must include revocation of non-human credentials and access, not just human account deactivation.
  • No dependency integrity verification: The @mastra packages were republished with a single injected dependency. No cryptographic attestation, no SLSA provenance verification, no immutable package locking prevented this from reaching developers automatically.
  • CI/CD pipelines as credential aggregators: Developer machines and CI/CD runners that execute npm install typically have access to cloud provider credentials, API keys, and deployment tokens. A postinstall hook executes with the full privilege of whatever context is running the install. The blast radius of a compromised build environment is the entire production infrastructure it touches.
  • No install-time behavioural monitoring: CVE-based scanners are ineffective against zero-CVE supply chain attacks. This campaign was detected by behavioural tools monitoring for unexpected network connections from postinstall hooks. Organisations without that monitoring had no protection during the exploitation window.

Recommendations

  • Rotate all credentials on affected systems immediately. Any machine that ran npm install on any @mastra package between 01:01 UTC and package removal on 17 June 2026 should be treated as compromised. Rotate npm tokens, GitHub tokens, cloud provider credentials (AWS, Azure, GCP), LLM API keys (OpenAI, Anthropic, Google), and CI/CD secrets. If cryptocurrency wallet extensions were present in browsers, migrate wallet funds to new seed phrases generated on a clean device.
  • Implement contributor credential offboarding. Every npm organisation, GitHub organisation, and package registry account should have a formal offboarding process that revokes publish access at the point of contribution cessation, not later.
  • Pin dependencies to exact versions with verified provenance. Use lockfiles and SLSA provenance attestations. Caret-range resolution is a supply chain risk for any package that holds privileged access.
  • Block the C2 IP addresses. Block outbound traffic to 23.254.164.92 and 23.254.164.123 at network egress.
  • Run npm install with --ignore-scripts in CI/CD where possible. This prevents postinstall hooks from executing automatically. It is not a complete solution, but it eliminates the most common automated delivery mechanism for supply chain payloads.
  • Deploy behavioural monitoring for postinstall hook network activity. StepSecurity Harden-Runner, Socket, and JFrog Curation all blocked or flagged this campaign at detection time. CVE-based scanners did not.

How NHI Mgmt Group Can Help

Securing Non-Human Identities (NHIs) including AI Agents, is becoming increasingly crucial as attackers discover and target service accounts, API keys, tokens, secrets, and OAuth credentials during breaches. These NHIs often hold extensive permissions that can be exploited, making their security a priority for any organisation focused on protecting their digital assets.

Take our NHI Foundation Level Training Course, the most comprehensive in the industry, that will empower you and your organisation with the knowledge needed to manage and secure these non-human identities effectively.

👉 Further details here

Final Thoughts

The Mastra campaign is the second confirmed Sapphire Sleet attack against the npm AI developer toolchain in 2026, following the April 2026 Axios compromise. That these are no longer isolated incidents but a documented series against AI development infrastructure signals a strategic shift: North Korean state actors have identified the AI developer credential surface, LLM API keys, cloud credentials, CI/CD tokens, as a primary financial target.

The attack was technically elegant, structurally simple, and would have been preventable with contributor credential governance. The ehindero account’s publish access should have been revoked when the human behind it stopped contributing. It was not. That single governance gap became the entry point for a nation-state attack on 1.1 million weekly package downloads.

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.