Sapphire Sleet Backdoors 144 npm Packages in 88 Minutes to Steal Cryptocurrency Wallets

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
North Korean state actor Sapphire Sleet backdoored 144 Mastra AI npm packages in under 88 minutes on June 17, 2026, poisoning a dependency chain with 8 million weekly downloads to steal cryptocurrency wallets and deliver a cross-platform persistent backdoor to any developer who ran npm install.
The Sapphire Sleet npm supply chain attack targeted the entire Mastra AI open-source ecosystem by compromising the ehindero npm maintainer account, which held publish rights across the @mastra scope. Attackers injected a malicious dependency called easy-day-js, a typosquat of the legitimate dayjs date library with 57 million weekly downloads, into more than 140 packages between 01:01 and 01:20 UTC. Microsoft's Threat Intelligence team attributed the attack to Sapphire Sleet, also tracked as BlueNoroff, CageyChameleon, and Stardust Chollima, a financially motivated North Korean state-sponsored group with a documented record of cryptocurrency theft targeting financial institutions and developer toolchains.
The attack operated in two stages. Attackers published easy-day-js@1.11.22 with a postinstall hook that silently executed an obfuscated dropper the moment any developer or CI/CD pipeline ran npm install. The dropper connected to two C2 servers, downloaded a 41-kilobyte cross-platform infostealer, and established persistence through Windows registry run keys, macOS LaunchAgents, or Linux systemd units. The payload then enumerated 166 browser-installed cryptocurrency wallet extensions, including MetaMask, Phantom, Coinbase Wallet, and Binance Wallet, and exfiltrated credentials back to attacker infrastructure on a 10-second polling loop.
Mastra AI is an enterprise AI orchestration framework used by development teams across financial services, fintech startups, and enterprise software companies. Any team that installed @mastra packages between June 17 01:20 UTC and npm's takedown now has active backdoor infrastructure on developer workstations and CI/CD runners. Attribution to Sapphire Sleet, a group responsible for hundreds of millions in confirmed cryptocurrency theft, makes the objective clear: this is not reconnaissance. It is direct financial extraction with hands-on-keyboard access to compromised build environments.
How Does the Sapphire Sleet npm Supply Chain Attack Work?
The attack exploited a fundamental trust relationship in the npm ecosystem: developers and automated CI/CD pipelines implicitly execute any code defined in a package's postinstall script during installation without prompting. Sapphire Sleet weaponized this trust by compromising the ehindero maintainer account and inserting easy-day-js as a dependency into 144 packages across the @mastra scope in a window of 19 minutes.
The postinstall hook ran node setup.cjs --no-warnings, executing a 4,572-byte obfuscated JavaScript dropper. The dropper used rotated string arrays and base64 decoding to resist static analysis, disabled TLS certificate verification by setting NODE_TLS_REJECT_UNAUTHORIZED to 0, and created tracking marker files at $TMPDIR/.pkg_history and $TMPDIR/.pkg_logs to prevent reinfection of already-compromised hosts. On first execution, it connected to 23.254.164.92:8000 and downloaded a 41 KB Node.js tasking client.
The second-stage payload supported Windows, macOS, and Linux. On Windows, it injected a reflective .NET DLL into cmd.exe, added Windows Defender exclusions for C:\Windows\System32, deleted PowerShell command history, and set a registry run key for persistence. On macOS, it installed a LaunchAgent plist at ~/Library/NodePackages/com.nvm.protocal.plist. On Linux, it created a systemd user unit at ~/.config/systemd/nvmconf/nvmconf.service. Across all platforms, the payload polled maskasd.com for attacker commands every 10 seconds, providing Sapphire Sleet operators with interactive shell access to any compromised host.
The dropper's stage one ran in every environment that executed npm install, including developer laptops and cloud-hosted CI/CD runners. Any secrets, tokens, environment variables, or API keys accessible in those environments were exposed to an attacker-controlled command-and-control channel within seconds of installation.
Maintainer Account Takeover
Sapphire Sleet compromised the ehindero npm account, which held publish rights across the @mastra scope, gaining the ability to release new package versions without repository access.
Typosquat Dependency Injection
easy-day-js@1.11.22, a typosquat of the legitimate dayjs library, was published at 01:01 UTC with a postinstall hook. By 01:20 UTC, attackers had injected it as a dependency into 144 @mastra packages.
Postinstall Dropper Execution
Any developer or CI/CD pipeline running npm install automatically executed setup.cjs, a 4,572-byte obfuscated dropper that connected to C2 infrastructure and downloaded the second-stage payload.
Cross-Platform Persistence and Exfiltration
The second-stage payload established OS-specific persistence, enumerated 166 cryptocurrency wallet browser extensions, exfiltrated browser credentials and history, and opened a 10-second polling backdoor to maskasd.com.
Which Mastra npm Packages Are Compromised?
The compromised packages span the entire @mastra scope. Any package that declared easy-day-js as a dependency and was published or updated between June 17, 01:01 UTC and npm's takedown response is poisoned. The core package mastra@1.13.1 carries the malicious dependency and represents the highest-download vector into developer environments. All packages in the @mastra/* namespace published in that window share the same risk profile.
Developers should run npm ls easy-day-js in every project that references @mastra packages. Any output listing easy-day-js@1.11.22 confirms the postinstall hook had the opportunity to execute during installation. Note that the hook executes at install time, not at runtime: the presence of the package in the dependency tree does not mean the malware is still running, but it does confirm the dropper ran during the install session.
Teams should also check for the file SHA-256 hash B122A9873BEDF145AE2A7FD024B5F309007DBB025149F4DC4AC3F7E4F32A36A4 against any setup.cjs files in their npm cache. The mastra-1.13.1.tgz package archive carries hash B73DE25C053C3225A077738A1FCBD9CA6966D7B3CD6F5494A30F0AA0EAE55C7E, which can be verified against package integrity records.
Safe pinning points confirmed by Microsoft: mastra at version 1.13.0 or earlier, and @mastra/core at version 1.42.0 or earlier. Organizations should update package.json files to use exact versions rather than semver ranges for core infrastructure dependencies in any AI or financial application built on Mastra.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Threat Actor Context: Sapphire Sleet's Escalating Supply Chain Campaign
Sapphire Sleet operates under the broader North Korean Lazarus Group umbrella, focused specifically on cryptocurrency theft to fund North Korea's weapons programs. Microsoft tracks them as one of the most financially destructive North Korean sub-groups, with prior campaigns netting hundreds of millions in cryptocurrency from exchanges, venture capital firms, and individual investors.
The April 2026 Axios npm compromise used the same postinstall hook technique: modified versions of the Axios HTTP library: one of the most widely used Node.js HTTP clients: pointed to a phantom dependency designed to download and execute a cross-platform remote access trojan. That campaign established that Sapphire Sleet had developed and refined the npm attack playbook before targeting Mastra. The two campaigns share infrastructure fingerprints, including the same dropper obfuscation pattern and the same C2 communication protocol.
The Mastra attack represents a strategic escalation. Rather than targeting a generic utility library used across millions of unrelated projects, Sapphire Sleet identified a framework with a defined enterprise customer base concentrated in financial services and cryptocurrency development. This precision increases the probability that a compromised developer workstation holds cryptocurrency wallet credentials or API keys to financial platforms. Sapphire Sleet's TTPs in this campaign map to MITRE ATT&CK T1195.002 (Compromise Software Supply Chain), T1546.004 (Unix Shell Configuration Modification), and T1059.001 (PowerShell), consistent with their broader pattern covered in our analysis of the BlueNoroff deepfake Zoom ClickFix campaign.
The tooling, infrastructure choices, and victim selection in the April and June 2026 npm campaigns both show heavy weighting toward organizations in NATO member countries and cryptocurrency-adjacent development teams.
“Microsoft has attributed the Mastra npm supply chain attack to Sapphire Sleet, a North Korean threat actor known for targeting financial organizations and stealing cryptocurrency.”
Microsoft Threat Intelligence, Security Blog, June 19, 2026
Who Is at Risk from the Sapphire Sleet npm Attack?
The highest-risk population is any development team that ran npm install on a project referencing @mastra packages between June 17, 01:20 UTC and npm's takedown. The attack reached every major operating system, meaning Windows developers, macOS developers, and Linux-based CI/CD runners all face identical risk.
Developer workstations with cryptocurrency wallet browser extensions installed face direct financial exposure. The second-stage payload hardcoded 166 wallet extension IDs covering MetaMask, Phantom, Coinbase Wallet, Binance Wallet, TronLink, and every other major browser-accessible wallet for Chrome, Edge, and Brave. The payload collected wallet extension data alongside browser history SQLite databases, giving Sapphire Sleet operators a complete picture of a developer's cryptocurrency holdings and trading platforms.
CI/CD pipeline runners carry a different but equally serious risk. Any secrets, environment variables, API keys, or deployment tokens accessible in a build environment that installed poisoned Mastra packages were exposed to a 10-second callback loop providing interactive shell access. Cloud-hosted runners on GitHub Actions, GitLab CI, and similar platforms that use ephemeral containers mitigate persistence but do not prevent secrets exfiltration during the compromised install session.
Enterprise risk extends to any downstream application built on Mastra. Financial services companies and fintech startups using Mastra's AI orchestration layer in customer-facing products may have had build-time credentials for production environments exposed. The group's prior campaign infrastructure choices in the North Korea 1,700-package supply chain attack demonstrate a consistent interest in credentials that provide access to financial platforms beyond the individual developer's personal accounts.
Indicators of Compromise: Detecting the Mastra Attack in Your Environment
Detection begins with dependency auditing and expands to filesystem, registry, and network telemetry depending on what the audit finds.
In dependency trees, search for easy-day-js@1.11.22 in package-lock.json files and node_modules directories across all projects using @mastra packages. Run npm ls easy-day-js in any Mastra-dependent project. The presence of the entry confirms the postinstall hook had the opportunity to execute.
On the filesystem, check for $TMPDIR/.pkg_history and $TMPDIR/.pkg_logs on Linux and macOS. On Windows, look for C:\ProgramData\system.bat, an unexpected hidden batch file created by the second-stage payload, and the malicious DLL scdev.dll in the system directory.
In the network layer, look for outbound connections to 23.254.164.92 and 23.254.164.123, the primary C2 IPs, and DNS lookups for maskasd.com and teams.onweblive.org. Any connection to these endpoints from a developer workstation or CI/CD runner confirms active backdoor communication.
In Windows registry, check HKCU\Software\Microsoft\Windows\CurrentVersion\Run for unexpected entries launching hidden PowerShell. On macOS, look for ~/Library/NodePackages/com.nvm.protocal.plist. On Linux, inspect ~/.config/systemd/nvmconf/nvmconf.service.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Remediation: How to Check and Clean Your Environment
Act immediately if your team installed any @mastra packages on or after June 17, 2026. The remediation sequence below addresses the infection chain from dependency removal through persistence cleanup and credential rotation.
Start with the dependency audit before touching anything else. Running npm install again on a still-poisoned tree reinfects cleaned machines.
Audit all dependency trees for easy-day-js
Run npm ls easy-day-js in every repository using @mastra packages. Flag any result showing easy-day-js@1.11.22 and treat those machines and runners as compromised.
Block C2 infrastructure at the network perimeter
Add block rules for IPs 23.254.164.92 and 23.254.164.123 and DNS blocks for maskasd.com and teams.onweblive.org before any further remediation steps. This cuts off active backdoor communication.
Remove poisoned packages and reinstall with --ignore-scripts
Delete node_modules and package-lock.json on affected machines, then reinstall using npm install --ignore-scripts to prevent any postinstall hooks from executing.
Pin Mastra versions in package.json
Set mastra to exactly 1.13.0 and @mastra/core to exactly 1.42.0 or earlier. Use exact version notation rather than semver ranges to prevent automatic upgrades to compromised versions.
Remove persistence artifacts on all affected hosts
Delete C:\ProgramData\system.bat and scdev.dll on Windows, ~/Library/NodePackages/com.nvm.protocal.plist on macOS, and ~/.config/systemd/nvmconf/nvmconf.service on Linux. Remove the registry run key entry on Windows.
Rotate all secrets from affected build environments
Any API key, token, deployment credential, or secret environment variable accessible during a compromised npm install session must be rotated immediately. Treat all secrets in affected CI/CD pipelines as compromised.
Conduct a full forensic review of outbound network connections
Review network logs from June 17, 2026 onward for connections to the two C2 IPs and the beacon domains. Any confirmed communication warrants full incident response including memory forensics on affected hosts.
Why the Sapphire Sleet npm Supply Chain Attack Matters for Your Organization
The Mastra campaign is not an edge case in the North Korean threat actor playbook. It is the third confirmed Sapphire Sleet npm operation in 2026, following the 1,700-package campaign and the Axios compromise, demonstrating a mature, repeatable capability running as an ongoing revenue operation.
No zero-day vulnerability enabled this attack. No patch exists because the attack exploited the npm ecosystem's trust model, not a software bug. The risk exists for every organization that installs open-source npm packages without verifying maintainer account security, reviewing postinstall scripts, or using lockfile-based installs with the --ignore-scripts flag. That describes the vast majority of software development teams.
What makes the Sapphire Sleet attack surface distinct from generic supply chain risk is the targeting precision. The 166-wallet extension enumeration list, the financial sector victim weighting, and the April-to-June operational tempo point to a dedicated team treating npm supply chain attacks as a systematic revenue channel. The group's prior campaigns covered in our analysis of the TanStack supply chain attack targeting developer credentials and the North Korea 1,700-package operation demonstrate consistent escalation in both scale and sector focus.
Every development team using AI orchestration frameworks, JavaScript toolchains, or open-source npm dependencies in financial services applications is operating in Sapphire Sleet's target environment. The remediation steps above address the immediate threat. The structural fix requires enforcing --ignore-scripts in all CI/CD pipelines, adopting software composition analysis tooling that flags typosquatted packages, and treating npm maintainer account security with the same rigor applied to production infrastructure credentials.
The bottom line
The Sapphire Sleet npm supply chain attack on Mastra AI backdoored 144 packages representing 8 million weekly downloads in under 88 minutes, delivering a cross-platform infostealer that targeted 166 cryptocurrency wallet extensions and opened persistent backdoor access to developer workstations and CI/CD pipelines. Microsoft's June 19 attribution to Sapphire Sleet confirms North Korean state sponsorship. If your team installed any @mastra package on or after June 17, 2026, run npm ls easy-day-js now, block the two C2 IPs at your network perimeter, and rotate every secret accessible from affected build environments before end of day.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is Sapphire Sleet?
Sapphire Sleet is a North Korean state-sponsored threat group also tracked as BlueNoroff, CageyChameleon, Copernicium, and Stardust Chollima. The group operates under the broader Lazarus umbrella and focuses on financially motivated attacks against cryptocurrency exchanges, financial institutions, venture capital firms, and developer toolchains. Microsoft and other threat intelligence vendors attribute hundreds of millions of dollars in cryptocurrency theft to Sapphire Sleet operations.
How does an npm supply chain attack work?
An npm supply chain attack injects malicious code into packages that developers install as dependencies. In the Mastra attack, Sapphire Sleet compromised a maintainer account with publish rights across the @mastra scope and added a typosquatted dependency called easy-day-js to 144 packages. When developers or CI/CD pipelines ran npm install, the postinstall hook automatically executed the malicious dropper without any user interaction or warning.
Which npm packages are affected by the Mastra supply chain attack?
Over 144 packages in the @mastra scope were poisoned, including mastra@1.13.1 and packages across the @mastra/* namespace published between June 17, 01:20 UTC and npm's takedown response. Any package that pulled in easy-day-js@1.11.22 as a dependency is compromised. Teams should audit package-lock.json files for easy-day-js entries and pin Mastra to versions at or below 1.13.0.
How do I check if my project is compromised by the Mastra attack?
Run npm ls easy-day-js in any project using @mastra packages. If easy-day-js@1.11.22 appears in the dependency tree, the postinstall hook may have executed during install. Also check for the files $TMPDIR/.pkg_history and $TMPDIR/.pkg_logs, which the dropper creates as execution markers. On Windows, check the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key for unexpected PowerShell entries.
What is the easy-day-js malware?
easy-day-js is a typosquatted npm package designed to mimic the legitimate dayjs date library, which has 57 million weekly downloads. Version 1.11.22 contained an obfuscated postinstall hook that executed a 4,572-byte dropper called setup.cjs. The dropper disabled TLS certificate verification, connected to attacker C2 infrastructure at 23.254.164.92:8000, and downloaded a second-stage cross-platform infostealer targeting cryptocurrency wallets and browser credentials.
What cryptocurrency wallets did the Sapphire Sleet attack target?
The second-stage payload included a hardcoded list of 166 browser extension IDs covering every major cryptocurrency wallet available for Chrome, Edge, and Brave. Named targets include MetaMask, Phantom, Coinbase Wallet, Binance Wallet, and TronLink. The payload also collected browser history SQLite databases, giving operators visibility into the victim's cryptocurrency trading activity beyond installed wallet extensions.
How can I prevent npm postinstall hook attacks?
Install packages with npm install --ignore-scripts to prevent postinstall hooks from executing automatically. Audit all dependencies with npm audit and review package-lock.json for unexpected transitive dependencies before running install in CI/CD pipelines. Use a software composition analysis tool that flags typosquatted package names. Require lockfile-based installs using npm ci rather than npm install in production and build pipelines.
How does North Korea use npm supply chain attacks?
North Korean state-sponsored groups, primarily under the Lazarus umbrella, have made npm supply chain attacks a repeatable revenue stream for cryptocurrency theft. The April 2026 Axios compromise used the same postinstall hook pattern. North Korea's prior campaign involving 1,700 npm packages established the operational playbook. The Mastra attack refined the approach by targeting a specific AI framework with a defined enterprise customer base in financial services and cryptocurrency rather than scattering payloads across low-traffic packages.
Sources & references
- Microsoft Security Blog: From package to postinstall payload: Inside the Mastra npm supply chain compromise by Sapphire Sleet
- BleepingComputer: Microsoft links Mastra AI supply chain attack to North Korean hackers
- SecurityWeek: North Korean Hackers Blamed for Mastra NPM Supply Chain Attack
- TechTimes: npm Supply Chain Attack: North Korea Backdoored 144 AI Packages in 88 Minutes
- Infosecurity Magazine: Microsoft Attributes Mastra AI Supply Chain Attack to North Korea
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
