Pulse

Security / Jun 20, 2026 / 7 min

North Korea Backdoored 143 npm Packages in the Mastra Framework

On June 17, North Korean hackers backdoored every package in the Mastra agent framework's npm scope — and on June 19, Microsoft attributed the attack to Sapphire Sleet, a state actor that primarily targets the financial sector.

Thesis The AI agent supply chain is now a geopolitical attack surface — and stale maintainer credentials are the unlocked door.

On June 17, between 1:15 and 2:00 a.m. UTC, an attacker used a dormant npm maintainer account to republish all 143 packages in the @mastra scope — the open-source agent framework used by thousands of AI developers — each seeded with a malicious dependency that executed on install. Two days later, Microsoft attributed the campaign to Sapphire Sleet, a North Korean state-sponsored group that primarily targets the financial sector. The payload didn't wait for anyone to run an agent. It fired during npm install, disabled TLS verification, downloaded a second-stage stealer from attacker-controlled servers, and hunted for 166 cryptocurrency wallet extensions. Any developer workstation or CI/CD pipeline that pulled a compromised version during the exposure window is a potential breach.

Why this matters now: Agent frameworks are becoming critical infrastructure. Attackers have noticed — and they're not hacking models. They're hacking the pipes.

The attack, in 45 minutes:

  • The foothold was a stale credential. The npm account ehindero belonged to a real former Mastra contributor whose publish access was never revoked after going dormant in early 2025.
  • On June 16, a coordinating account (sergey2016) published easy-day-js — a typosquat of the legitimate dayjs library (57 million weekly downloads). Version 1.11.21 was clean bait. Version 1.11.22, published minutes before the mass rollout on June 17, added a postinstall hook.
  • On June 17, the attacker republished the entire @mastra scope — 139 scoped packages plus mastra, create-mastra, and mastracode — each pinning easy-day-js@^1.11.21, which semver-resolved to the weaponized 1.11.22.
  • Legitimate Mastra releases carry SLSA provenance attestations. Every malicious version dropped them entirely.

What the malware did:

  • Microsoft's deobfuscation of the dropper reveals a five-step sequence: disable TLS certificate validation, write tracking markers to the temp directory, fetch a ~41 KB cross-platform implant from 23.254.164.92:8000, spawn it as a hidden detached Node.js process, and enter a persistent C2 poll loop.
  • The second-stage payload fingerprints the host — installed applications, browser histories, running processes — and checks for 166 crypto wallet browser extensions, including MetaMask, Phantom, Coinbase Wallet, Binance Wallet, and TronLink.
  • On Windows, follow-on activity deployed a PowerShell backdoor previously associated with Sapphire Sleet, added Microsoft Defender exclusions, and installed a service granting SYSTEM privileges.
  • As Microsoft put it in its June 19 update: "Microsoft assesses with high confidence that this activity is attributable to Sapphire Sleet, a North Korean state actor that primarily targets the financial sector."

The pattern is not new — the target is:

  • Sapphire Sleet, also tracked as BlueNoroff, is a North Korean unit known for cryptocurrency theft, fake job offers, malicious browser extensions, and software supply chain compromises.
  • The same group conducted a separate npm supply chain attack on the Axios HTTP client in April 2026, per Microsoft.
  • Snyk estimates @mastra/core alone pulls roughly 4 million downloads a month, with more than 30 million monthly across the full scope. The blast radius is not niche.

Why agent stacks are the next front:

  • Mastra is not a chatbot wrapper. It is an agent orchestration framework — the kind of tooling enterprises are wiring into production workflows right now.
  • The attack exploited the weakest link in open-source AI: contributor access that outlives the contributor. No model jailbreak required. No prompt injection. Just a forgotten npm password and an automated publish script that hit 143 packages in under an hour.
  • npm has removed the malicious packages and revoked the attacker's publish access. Mastra forward-rolled clean versions. But any machine that ran npm install during the window should be treated as a host-exposure event — not a dependency bump.

What enterprises should do:

  • Audit any project that resolved @mastra packages between June 16–17, 2026.
  • Require SLSA provenance or equivalent attestations for AI framework dependencies.
  • Revoke maintainer credentials when contributors leave — the ehindero account sat dormant for months with full scope access.
  • Treat agent framework installs with the same rigor as production secrets: isolated CI runners, dependency pinning, and postinstall script review.

Convina's view: The AI security conversation has been obsessed with model guardrails, export controls, and hallucination liability — all real, all already in the headlines. This attack is a reminder that the agent economy's most exploitable surface is humbler: the npm account nobody remembered to delete. North Korea didn't need a frontier model to reach crypto wallets inside AI development shops. It needed a stale credential and 45 minutes. Until agent frameworks get the same identity governance enterprises demand for human employees, the supply chain is not a secondary risk. It is the primary one.

Research Signals

https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/ https://www.bleepingcomputer.com/news/security/microsoft-links-mastra-ai-supply-chain-attack-to-north-korean-hackers/ https://snyk.io/blog/a-forgotten-contributor-account-compromised-the-entire-mastra-npm-package-scope/ https://www.chainguard.dev/unchained/mastra-npm-scope-takeover-143-packages-backdoored-via-compromised-contributor-account https://orca.security/resources/blog/mastra-npm-supply-chain-attack/