North Korean Hackers Exposed in Mastra NPM Supply Chain Attack – Cybersecurity Threat
North Korean state-sponsored actors are linked to a supply chain compromise targeting the Mastra NPM ecosystem, according to cybersecurity researchers.
Overview of the Supply Chain Attack
North Korean state-sponsored actors are linked to a supply chain compromise targeting the Mastra NPM ecosystem, according to cybersecurity researchers. Mastra is an open source TypeScript framework designed for constructing AI agents, workflows, and RAG pipelines, with integrations for major LLM providers, MCP servers, and cloud environments. The attack occurred on June 17, during which malicious actors uploaded 141 compromised NPM packages containing a malicious dependency named easy-day-js. This package was a typosquat of the legitimate dayjs date library, exploiting user input errors to distribute malware. The affected Mastra packages reportedly have approximately 8 million weekly downloads.
Attack Details and Technical Analysis
The breach involved the unauthorized takeover of the ‘ehindero’ NPM maintainer account, which held publishing privileges across the Mastra ecosystem. Prior to the account compromise, attackers uploaded a benign version of easy-day-js under the ‘sergey2016’ account. Using the stolen credentials, the threat actors inserted the malicious dependency into 141 NPM packages, ensuring that the latest version of easy-day-js would be automatically installed. They simultaneously released a malicious variant of the library under their control.
Technical Payload
The payload included an obfuscated postinstall script that fetched a secondary payload from attacker-controlled servers, executed it as a hidden background process, and deleted itself to evade detection. Microsoft confirmed that the malware could execute during npm install or npm update operations, exposing any system running these commands after the attack. The malicious software targeted Windows, macOS, and Linux environments, masquerading as node-related tools while harvesting system data and infiltrating over 160 cryptocurrency-related browser extensions.
Group Attribution and Previous Attacks
The attack has been attributed to the financially motivated North Korean group Sapphire Sleet, also known as BlueNoroff, CageyChameleon, Copernicium, and Stardust Chollima. This group was previously associated with the Axios NPM supply chain attack.
Microsoft confirmed that the malware could execute during npm install or npm update operations, exposing any system running these commands after the attack.
The attack has been attributed to the financially motivated North Korean group Sapphire Sleet, also known as BlueNoroff, CageyChameleon, Copernicium, and Stardust Chollima.
Users of Mastra are advised to uninstall affected package versions, conduct system malware scans, rotate credentials and tokens, and secure access to cryptocurrency wallets.
Response and Cybersecurity Measures
Cybersecurity firms Aikido, Ox, Socket, Sonatype, and StepSecurity have released technical analyses and indicators of compromise (IoCs) related to the incident. Organizations are urged to monitor their dependency trees and implement stricter access controls for maintainers of critical open-source projects.
- Aikido
- Ox
- Socket
- Sonatype
- StepSecurity
Impact on Software Supply Chains
The attack highlights vulnerabilities in software supply chains, particularly through compromised package repositories and typosquatting techniques. Organizations are urged to monitor their dependency trees and implement stricter access controls for maintainers of critical open-source projects.
About Author
English