North Korean Hackers Target AI Supply Chains with Malicious npm Packages

A recent supply-chain incident shows how attackers can weaponize the trust developers place in open-source ecosystems. Microsoft traced a campaign that compromised more than 140 npm packages in the Mastra AI environment to a North Korean group called Sapphire Sleet (also tracked as BlueNoroff). The operation began when the attackers hijacked an npm maintainer account, used it to publish malicious updates, and then leveraged typosquatting and postinstall hooks to install a multi-platform information stealer on developers’ machines. The goal was to harvest credentials, API keys, authentication tokens, and cryptocurrency wallets across Windows, Linux, and macOS.

How the Attack Started: Compromised Maintainer and Typosquatting

The threat actors first took control of the npm account “ehindero,” which had publishing rights for the @mastra scope. With that access, they released malicious updates for more than 140 packages. The malicious payload hid inside a dependency named “easy-day-js,” a deliberate misspelling of the legitimate and widely used dayjs library. Because many developers rely on automated package installation, the malicious dependency was downloaded automatically whenever the compromised packages were installed. This kind of typosquatting exploits the fact that developers often type package names quickly and may not notice subtle misspellings.

Once installed, the malicious dependency executed a postinstall hook—a standard npm feature that runs scripts after a package is added. In this case, the hook triggered an obfuscated dropper script that disabled Transport Layer Security certificate verification, contacted attacker-controlled command-and-control servers, downloaded a second-stage payload, and executed it as a hidden background process. The initial compromise therefore did not require any extra user action beyond running a standard npm install command, making it a classic supply-chain attack vector.

Multi-Platform Malware with Cryptocurrency Focus

The second-stage payload was a cross-platform information stealer designed to run on Windows, Linux, and macOS. It collected host information, browser histories, installed applications, and running processes. It also specifically checked for 166 cryptocurrency wallet browser extensions, including MetaMask, Phantom, Coinbase Wallet, Binance Wallet, and TronLink. This focus reflects the group’s known financial motives: BlueNoroff has a long history of targeting cryptocurrency firms and individuals to fund the North Korean regime.

Persistence mechanisms varied by operating system. On Windows, the malware used Registry Run keys to survive reboots. On macOS, it installed LaunchAgents, and on Linux it created systemd services. These choices show the attackers planned for long-term access and data exfiltration rather than a one-off theft. Microsoft observed follow-on activity on systems that communicated with the attackers’ C2 servers, including tactics previously attributed to Sapphire Sleet, reinforcing the high-confidence attribution.

Why Supply Chains Are the New Battleground

This incident is part of a broader trend where attackers shift from direct attacks on end users to compromising the infrastructure that delivers software. Open-source package registries like npm are attractive because a single malicious package can reach thousands of downstream projects and developers. The Mastra AI ecosystem, which bundles multiple packages under the @mastra scope, amplified the impact: compromising the scope meant every package update carried the malicious dependency.

Attacks like this exploit the speed of modern development. Teams often automate dependency updates to keep up with feature requests and bug fixes, trusting that package maintainers have vetted their code. When an attacker controls a maintainer account, that trust is broken at the source. The use of typosquatting and postinstall hooks means the malware can spread without any visible red flags during installation, making detection difficult for individual developers.

What Developers and Organizations Should Do Now

If you or your team use packages in the @mastra scope, review your dependency manifests and lockfiles for any references to easy-day-js or recent updates from the compromised maintainer account. Remove the malicious dependency immediately and audit other packages for similar typosquatting patterns. Consider using tools that scan dependencies at install time and block known malicious packages.

Organizations should also review their npm maintainer and publishing policies. Enforce multi-factor authentication for npm accounts with publishing rights, limit the scope of maintainer privileges, and monitor for unusual package activity. Implementing integrity checks and checksum verification for critical dependencies can reduce the risk of tampered packages going unnoticed.

How to Detect and Respond to Similar Threats

Because the malware disabled TLS certificate verification, defenders should look for unexpected certificate errors in logs or network traffic analysis. Monitor for processes spawned by postinstall hooks, especially if they run obfuscated scripts or contact unfamiliar domains. Endpoint detection and response tools can flag unusual persistence mechanisms such as new Registry Run keys, LaunchAgents, or systemd services.

Incident response should include isolating affected systems, revoking any exposed credentials or API keys, and rotating cryptocurrency wallet seeds or passwords stored in browsers. Given the cross-platform nature of the malware, ensure your response plan covers Windows, Linux, and macOS endpoints. Collecting and preserving logs from package managers and network traffic can help reconstruct the timeline and scope of the compromise.

The Broader Implications for AI and Open-Source Security

The Mastra AI incident highlights how AI ecosystems can inherit the security risks of their underlying open-source components. Many AI frameworks and libraries rely on npm packages for utilities, data processing, and visualization. If those packages are compromised, the integrity of the entire AI pipeline is at risk. This raises questions about supply-chain security for AI models, datasets, and deployment pipelines.

Organizations building with AI should treat their dependency graphs with the same rigor they apply to model training data. Establish a software bill of materials (SBOM) for every AI project, continuously scan dependencies for vulnerabilities and signs of tampering, and maintain a rollback plan for compromised updates. Sharing threat intelligence within AI-focused communities can help identify emerging typosquatting campaigns before they spread widely.

What to Watch Next

Expect more sophisticated supply-chain attacks that combine typosquatting, compromised maintainer accounts, and multi-stage malware. Attackers will likely target AI-specific ecosystems where packages are less scrutinized than core libraries. Watch for new campaigns using AI-centric package names or forks of popular AI tools.

Security vendors will likely release new tools that integrate with package managers to block malicious postinstall scripts and verify package integrity at scale. Organizations should evaluate these solutions and prepare for stricter dependency policies. Meanwhile, npm and similar registries may introduce stricter publishing controls and automated scanning to reduce the risk of similar incidents.

In the near term, developers should assume that any package name is a potential target for typosquatting and treat every update with caution. Teams should adopt a zero-trust approach to dependencies: verify sources, scan before installation, and monitor after deployment. The Mastra incident is not an isolated event, but a preview of the supply-chain threats that will define the next phase of software security.