ProBackend
ai cyber threats nation state actors
1 hour ago7 min read

Sapphire Sleet Weaponized npm to Poison AI Toolchains — and You’re Still Installing Packages Without Checking

Microsoft attributes the Mastra AI supply chain attack to Sapphire Sleet — a North Korean group that turned npm into a silent crypto theft pipeline by hijacking a maintainer account and injecting malicious dependencies into 140 packages.

The npm ecosystem isn't broken. It's weaponized.

You think your CI/CD pipeline is safe because you use trusted packages? You're not wrong — you're just late.

Microsoft confirmed this week that Sapphire Sleet, the North Korean hacking group also known as BlueNoroff, turned npm into a silent crypto theft pipeline. More than 140 packages under the @mastra scope were compromised. Not because of a vulnerability in Node.js. Not because of a misconfigured CI runner. But because someone stole an npm maintainer account: ehindero.

And here's the brutal truth: that account had publishing privileges across the entire Mastra package environment. No one checked. No one questioned. No one even noticed until the malware started phoning home.

This isn't a zero-day. It's a zero-trust failure.

I've seen this movie before. Back in April, Sapphire Sleet did the exact same thing to Axios. Same playbook. Same arrogance. Same belief that developers are too lazy to audit their dependencies.

They're not wrong.

The npm ecosystem isn't broken. It's weaponized

The hijack: one account, 140 packages, zero alarms

The attacker didn't brute-force ehindero's password. They didn't phish. They didn't exploit a GitHub API flaw.

They waited.

They watched.

They waited until ehindero stopped logging in.

Maybe the maintainer got a new job. Maybe they got sick. Maybe they just got tired of maintaining open-source code for free while people in Silicon Valley paid $300k to build AI wrappers around npm packages that do nothing.

Whatever happened, ehindero vanished. And Sapphire Sleet moved in.

They didn't even need to create a new package. They just updated existing ones.

Each update injected one dependency: easy-day-js. A typosquat of the legitimate and widely used dayjs JavaScript library.

It looked harmless. It looked like a typo.

It was a trap.

The hijack: one account, 140 packages, zero alarms

The payload: a silent thief in every developer's terminal

The post-install hook in easy-day-js didn't just steal passwords.

It hunted.

Microsoft's analysis shows the dropper executed an obfuscated script, disabled TLS certificate verification, and contacted attacker-controlled command-and-control infrastructure. From there it downloaded a second-stage payload — a cross-platform information stealer designed for Windows, Linux, and macOS. The payload ran as a detached hidden process, which means it didn't show up in your task manager. It didn't ask permission. It just existed.

The implant collected host information, browser histories, installed applications, and running processes. Then it checked whether 166 cryptocurrency wallet browser extensions were installed: MetaMask, Phantom, Coinbase Wallet, Binance Wallet, TronLink. All of them.

But here's what Microsoft didn't say out loud: this wasn't just about crypto.

It was about access. The malware targeted sensitive credentials, API keys, and authentication tokens alongside the wallets. That's the real prize for a state actor who doesn't need your money — they need your identity.

And then it persisted using OS-specific methods: Windows Registry Run keys, macOS LaunchAgents, and Linux systemd services. Each one designed to survive a reboot. Each one designed to blend into the noise.

The follow-on activity included deployment of a PowerShell backdoor previously used by the group, additional persistence mechanisms, Microsoft Defender exclusions, and a malicious Windows service that granted SYSTEM privileges. This wasn't random malware. This was a coordinated, persistent intrusion designed to maintain access for as long as possible.

Systems that communicated with the attackers' command-and-control servers showed follow-on activity utilizing tactics previously associated with Sapphire Sleet. The group doesn't just break in and steal — they set up shop, dig in, and stay put.

The backdoor: a ghost from past attacks

Here's where it gets scary.

The second-stage payload included a PowerShell backdoor with tradecraft and C2 infrastructure that Microsoft says Sapphire Sleet has used in other, prior campaigns. Same obfuscation patterns. Same persistence mechanisms. Same habit of disabling Windows Defender exclusions and deploying a malicious Windows service that grants SYSTEM privileges.

This isn't a new actor. It's the same guy who tried to steal from Korean banks. Who deployed fake VS Code extensions. Who used npm as a backdoor in the Axios attack.

Sapphire Sleet doesn't innovate. They iterate.

They're not trying to be stealthy in the way that sophisticated espionage groups are. They're trying to be persistent. And they're winning.

The group is known for cryptocurrency theft campaigns, malicious browser extensions, fake job offers targeting Korean tech workers, and software supply chain compromises designed to steal credentials and cryptocurrency assets. This attack fits every pattern they've ever used — just with a bigger target.

What makes this particularly dangerous is the scale. One compromised account, 140 packages, and suddenly every developer who uses Mastra becomes a potential victim. The attack vector is so simple — just update an existing package, inject one dependency — that it's almost impossible to defend against without fundamental changes to how we trust open-source software.

For context on similar npm-based supply chain campaigns, see our coverage of IronWorm Malware Hits 36 npm Packages in Supply Chain Attack and Red Hat npm Packages Compromised in Supply-Chain Attack Distributing Miasma Malware.

Why AI toolchains are the new gold rush

Let's be honest: nobody cares if a random npm package gets hijacked.

But when that package is part of Mastra AI? That's different.

Mastra isn't just a library. It's a framework. It's the glue between LLMs and enterprise data pipelines. It's used in internal AI agents that auto-generate PRs, auto-review code, auto-deploy.

Compromise Mastra, and you compromise the entire feedback loop.

The attacker didn't just steal credentials. They stole the trust of the development process.

Imagine this: your AI assistant auto-generates a security patch. It's signed by a compromised package. It gets merged. It gets deployed. It disables your WAF.

No human ever saw it. No alert fired. Because the AI thought it was doing its job.

That's the future Sapphire Sleet is building. And from a hardware perspective, it's terrifying — because we've spent years hardening chips against side-channel attacks and physical tampering, while the software layer that actually runs on those chips remains wide open.

The Mastra ecosystem represents exactly the kind of infrastructure that makes modern AI development possible. It's the connective tissue between models and data. And when you compromise that, you don't just steal credentials — you poison the well for everyone who depends on it.

This is why nation-state actors are targeting AI toolchains specifically. They know that compromising these frameworks gives them access to the entire development pipeline, not just individual machines.

The broader threat landscape includes self-replicating supply chain attacks like The Miasma Worm: A Self-Replicating Supply Chain Attack Targeting AI Coding Agents, which shows how these threats are evolving beyond simple credential theft.

The defense? Stop pretending you're safe.

Here's what you need to do.

  1. Audit your npm dependencies like your life depends on it. Use npm audit --json and cross-reference with the GitHub Advisory Database. Don't just run it once. Run it daily.

  2. Enable npm's signed packages. If a package doesn't have a signature from a verified maintainer? Block it. Period.

  3. Use a package manager that enforces provenance. Not npm. Not yarn. Use pnpm with --strict-peer-dependencies and --frozen-lockfile. And if you're serious? Use Sigstore for code signing.

  4. Monitor your CI/CD logs for post-install scripts. If you see postinstall in a package.json? Flag it. Block it. Ask why it's there.

  5. Assume every maintainer account is compromised. If someone hasn't logged in for 30 days? Revoke their access. Revoke it. Revoke it.

And stop calling it "supply chain security." It's not a chain. It's a house of cards.

And Sapphire Sleet? They've got a blowtorch.

This isn't over. It's just getting started.

Sapphire Sleet doesn't care if you're a Fortune 500 or a solo dev with a GitHub repo. They care if you have a wallet. Or an API key. Or a CI token.

They don't need to break into your network. They just need you to run npm install.

And you will. Because you always do.

The next time you see a package named "easy-thing-js"? Don't install it. Just delete it.

And ask yourself: who's really in control here? The developer? Or the guy who stole an account and waited for you to click "install"?

More engineering analysis and backend guidance from ProBackend.
More blogs