Microsoft Attributes Mastra AI Supply Chain Compromise to Sapphire Sleet

Microsoft's attribution analysis ties the JavaScript-ecosystem compromise to a North-Korea-linked cluster, assessing with high confidence that the actor it tracks as Sapphire Sleet published poisoned Mastra packages to reach developers and crypto wallets.

Share
Flat white line-art of a row of package boxes beside an attribution tag card and a flag pin, on a Mulberry background — Microsoft Mastra npm Sapphire Sleet attribution.

Key Takeaways

  • Microsoft published an attribution analysis assessing with high confidence that the June 17, 2026 compromise of more than 140 packages in the @mastra npm scope is the work of Sapphire Sleet, a North-Korea-linked threat cluster it also tracks under aliases including BlueNoroff.
  • Microsoft said it based the attribution on infrastructure and post-compromise tactics, techniques, and procedures consistent with previously documented Sapphire Sleet activity, including a separate npm supply chain compromise of the Axios HTTP client that the company attributed to the same cluster in April 2026.
  • The underlying compromise injected a malicious dependency, easy-day-js, whose postinstall payload searched for 166 cryptocurrency wallet browser extensions and harvested credentials and host data, framing the incident as financially motivated developer-targeting rather than a one-off package hijack.

Microsoft's attribution analysis ties the JavaScript-ecosystem compromise to a North-Korea-linked cluster.

REDMOND, WASHINGTON — Microsoft on June 19, 2026 published an attribution analysis tying the supply chain compromise of the Mastra AI framework's npm packages to a North-Korea-linked threat cluster, naming the actor it tracks as Sapphire Sleet and assessing the link with high confidence. The compromise itself, disclosed on June 17, saw poisoned updates pushed to more than 140 packages in the @mastra scope on npm, the largest registry of JavaScript code, after a contributor account with publishing privileges was taken over. Microsoft's analysis reframes that incident from an anonymous package hijack into a documented operation by a state-aligned group with a track record of stealing cryptocurrency.

The attribution is a vendor assessment rather than a government indictment, and Microsoft was explicit that it rests on the consistency of infrastructure and post-compromise behavior with prior activity. But the framing matters for defenders weighing how seriously to treat a single npm incident: a supply chain attack carried out by a persistent, financially motivated state cluster is a different risk picture than an opportunistic one-off, and it slots the Mastra case into a wider pattern of North-Korea-linked targeting of the open-source JavaScript ecosystem.

At a Glance
FieldDetails
Attributed byMicrosoft Threat Intelligence / Microsoft Defender Security Research Team
ClusterSapphire Sleet (aliases include BlueNoroff, APT38, Stardust Chollima, TA444)
NexusNorth Korea; financially motivated, primarily targets the financial sector
IncidentJune 17, 2026 compromise of 140+ @mastra npm packages via easy-day-js dependency
Ecosystemnpm (JavaScript / TypeScript)
StatusAttribution published June 19, 2026; high-confidence vendor assessment

What Microsoft Attributed

Microsoft's analysis, published by Microsoft Threat Intelligence and the Microsoft Defender Security Research Team, states that the company "assesses with high confidence that this activity is attributable to Sapphire Sleet, a North Korean state actor that primarily targets the financial sector." The activity in question is the June 17 compromise of the Mastra AI framework's npm presence, in which an account with publishing rights across the @mastra scope was abused to push malicious updates to more than 140 packages.

According to Microsoft, the attribution was reached after the company observed that the infrastructure and post-compromise tactics, techniques, and procedures used in the Mastra campaign were consistent with previously documented Sapphire Sleet activity. That is the standard basis for a vendor attribution: it is a probabilistic judgment built on overlaps in command-and-control infrastructure and operational behavior, not a claim backed by a court filing or a sanctions designation. Microsoft did not, in its public write-up, detail exactly how the privileged maintainer account was taken over, though it noted that the cluster has a documented history of social-engineering operations against developers.

Sapphire Sleet is Microsoft's name for the group; other vendors and researchers track overlapping or equivalent activity under aliases including BlueNoroff, APT38, Stardust Chollima, and TA444. Microsoft characterizes the cluster as a financially motivated North Korean state actor that has conducted cryptocurrency theft and network-exploitation activity for years, and which operates within the broader set of North-Korea-linked operations that the wider research community associates with the Lazarus Group umbrella and North Korea's Reconnaissance General Bureau.

Continuation Context — the June 17 Disclosure

The compromise that Microsoft attributed is the subject of separate, earlier coverage. On June 17, 2026, the @mastra npm scope was hit by a large-scale package compromise after a contributor account with publishing privileges was taken over and used to push poisoned versions of more than 140 packages. The mechanism, as documented at the time, was the insertion of a malicious dependency named easy-day-js — described by reporters as a typosquat of the legitimate dayjs date library — into the affected releases.

That dependency carried a postinstall payload, meaning the malicious code executed during installation rather than only when a package was imported into application code. Any developer workstation or continuous integration and continuous delivery pipeline that ran an install or update against the compromised versions during the exposure window was therefore potentially affected. According to Microsoft's analysis, the payload disabled Transport Layer Security certificate verification, reached out to attacker-controlled command-and-control infrastructure, and retrieved a follow-on payload built to run on Windows, macOS, and Linux.

The objective, as Microsoft describes it, was twofold and squarely financial. The malware enumerated the presence of 166 cryptocurrency wallet browser extensions — among them widely used wallets such as MetaMask, Phantom, Coinbase Wallet, Binance Wallet, and TronLink — and harvested credentials, tokens, and host reconnaissance data including hostname, architecture, platform, installed applications, and running processes. This article does not re-litigate the mechanics of that compromise, which the earlier coverage addresses in full; the focus here is the attribution that Microsoft layered on top of it.

The Broader Pattern of North-Korea-Linked Activity Against the JavaScript Ecosystem

Microsoft's analysis situates the Mastra case within a recurring pattern rather than treating it as an isolated event. The company noted that the Mastra compromise is the second npm supply chain incident in 2026 that it has attributed directly to Sapphire Sleet. The first was a compromise of Axios, a widely used JavaScript HTTP client, which Microsoft Threat Intelligence attributed to the same cluster in April 2026, citing malicious npm package versions that retrieved payloads from infrastructure associated with the actor.

The targeting of the npm ecosystem fits a longer-running interest in reaching developers — and, through them, cryptocurrency — that Microsoft and other vendors have documented across multiple North-Korea-linked clusters. Sapphire Sleet has been tied to campaigns that masquerade as recruiters on professional platforms to lure developers into running attacker-supplied code, a social-engineering pattern that overlaps with separately tracked activity such as the macOS developer-targeting campaign reported under the Jinx-0164 label. Microsoft's own write-up of the Mastra incident pointed to the cluster's history of LinkedIn-based social engineering against targets in the financial, blockchain, and cryptocurrency sectors as relevant context for how a privileged maintainer account might be reached.

More broadly, North-Korea-linked operators are a persistent presence in CyberSignal's coverage of nation-state activity, from the memory-only remote access trojan that researchers tied to Lazarus in financial and cryptocurrency intrusions to the LLM-assisted malware development that defenders attributed to Kimsuky against the defense sector. The Mastra attribution does not assert direct operational links between these distinct clusters; it adds another data point to a well-established picture of North-Korea-linked groups treating the open-source software supply chain as a route to developers and the assets they hold.

Defender Posture for Organizations Using Mastra Packages

For organizations that pulled @mastra packages during the exposure window, Microsoft's guidance centers on inventory and verification rather than novel detection. The first task is to review dependency trees — both direct and transitive — for use of affected @mastra packages at the compromised versions, and to check for the presence of easy-day-js in node_modules directories and package-lock files across projects and CI/CD environments. Because the payload ran at install time, the relevant question is not only what an application imports but what any build agent installed.

Microsoft advised pinning known-good package versions where possible, noting that for the mastra package, version 1.13.0 and earlier are unaffected, and for @mastra/core, version 1.42.0 and earlier are unaffected. Teams that ran installs against the poisoned releases should treat affected developer workstations and build systems as potentially exposed and prioritize rotating any secrets — credentials, tokens, and API keys — that those systems could have handled, given that credential and token harvesting was a documented goal of the payload. The cryptocurrency-wallet focus also makes any host that touched the compromised packages and held wallet extensions a priority for review.

The attribution itself carries a practical implication beyond cleanup. A compromise attributed to a persistent, financially motivated state cluster is more likely to be one move in a sustained campaign than a single opportunistic event, which strengthens the case for durable controls: scoping which build systems can reach the public internet, scrutinizing postinstall scripts, and treating maintainer-account takeover as a foreseeable supply chain risk rather than an outlier. The defensive work does not change because of who is behind it, but the priority it warrants does.

Open Questions

Several points remain open. Microsoft's attribution is a high-confidence vendor assessment grounded in infrastructure and TTP overlap; it is not a government indictment or a sanctions action, and the company did not publicly disclose how the privileged maintainer account was initially compromised. The aliases that other researchers use for overlapping activity — BlueNoroff, APT38, Stardust Chollima, TA444, and others — reflect the familiar reality that different vendors draw cluster boundaries differently, so readers should treat the named groupings as Microsoft's mapping rather than a settled, universal taxonomy.

It also remains to be seen how the broader response unfolds: whether additional vendors independently corroborate the attribution, whether any government body acts on it, and whether the same cluster returns to the npm ecosystem a third time in 2026 after the Axios and Mastra incidents. Independent trade reporting, including Infosecurity Magazine's coverage of the attribution, has relayed Microsoft's North-Korea nexus finding without adding a separate technical attribution of its own, which keeps the assessment for now a single-vendor judgment rather than a multi-source consensus. What is established is the core of Microsoft's claim — that the June 17 Mastra compromise was, in the company's high-confidence assessment, the work of a North-Korea-linked, financially motivated cluster with a documented history of targeting developers and cryptocurrency — and that assessment is the throughline connecting this incident to a pattern that defenders of the open-source supply chain are likely to keep encountering.


The CyberSignal Analysis

The reported facts above are Microsoft's; what follows is The CyberSignal's editorial reading of what defenders should take from them. None of the judgments below are new reported facts, and all of them preserve Microsoft's own alias hedging and high-confidence-but-single-vendor framing.

Signal 01 — Attribution Sharpens Priority, Not the Playbook

The cleanup work for a poisoned npm scope does not change because Microsoft put a name on it: teams still audit dependency trees, pin known-good versions, and rotate secrets that touched a build agent. What a named cluster changes is not the checklist but the urgency behind it. A compromise attributed to a persistent, financially motivated state actor is better modeled as one move in an ongoing campaign than as an opportunistic hijack, and that reframing is what justifies spending on durable controls — internet-egress scoping for build systems, postinstall-script scrutiny, maintainer-account-takeover planning — rather than treating the incident as closed once the bad versions are purged.

Our reading is that defenders should let the attribution inform triage weighting while resisting the temptation to treat it as new technical intelligence. The value of a name like Sapphire Sleet, for most organizations, is that it tells them how long to keep watching and how much to invest in prevention — not that it hands them a novel indicator to hunt. The mechanics of the compromise, documented in the earlier coverage, remain the operative detail for remediation.

Signal 02 — The JavaScript Ecosystem Is a Standing North-Korea Target

The Mastra case is the second npm supply chain incident Microsoft has tied to this one cluster in 2026, after the Axios compromise in April, and it sits alongside a broader run of North-Korea-linked developer-targeting that CyberSignal has tracked across separate clusters. Our assessment is that this cadence is the signal worth internalizing: the open-source JavaScript registry is not being probed occasionally but treated as a repeatable route to developers and the cryptocurrency assets they hold. A single npm incident reads differently when it is the latest entry in a sustained pattern rather than an isolated event.

For security teams, the practical consequence is to stop treating registry compromises as tail-risk surprises. If a state-aligned cluster is returning to the same ecosystem on a months-long cycle, the defensive posture that follows is standing instrumentation of the software supply chain — dependency monitoring, install-time behavior detection, and maintainer-trust review — rather than incident-by-incident reaction each time a scope is poisoned.

Signal 03 — A High-Confidence Vendor Call Is Not a Consensus Finding

Microsoft's judgment is a high-confidence assessment built on infrastructure and post-compromise TTP overlap, and it carries the alias caveat that other researchers draw cluster boundaries differently — BlueNoroff, APT38, Stardust Chollima, TA444 all map onto overlapping-but-not-identical activity. Our reading is that this hedging is a feature of the disclosure, not a weakness: a vendor attribution is a probabilistic call, not a court filing or a sanctions designation, and treating it as settled fact overstates what any single company can establish about a state operation.

The forward-looking watch item is corroboration. Until a second vendor independently reaches the same nexus or a government body acts, the Sapphire Sleet label remains Microsoft's mapping rather than a universal taxonomy. We would treat the attribution as actionable for prioritization while flagging, in any internal reporting, that it is a single-source assessment whose cluster boundaries may be redrawn as other researchers weigh in.


Sources

TypeSource
PrimaryMicrosoft Security Blog — From package to postinstall payload: Inside the Mastra npm supply chain compromise by Sapphire Sleet
ReportingInfosecurity Magazine — Microsoft Attributes Mastra AI Supply Chain Attack to North Korea
RelatedThe CyberSignal — Mastra npm: 145 Packages Compromised via Contributor Account
RelatedThe CyberSignal — Lazarus RemotePE Memory-Only RAT Targets Finance and Crypto