Microsoft links Mastra AI supply chain attack to North Korean hackers
Microsoft attributed a Mastra AI supply chain attack that compromised over 140 npm packages to North Korean hacking group Sapphire Sleet (BlueNoroff). The attack targeted the npm ecosystem and AI development infrastructure.
- Disclosed
- Last updated
- Blast radius
- 140+ npm packages compromised; potential impact on AI/ML development workflows
- Ecosystems
- Attack vectors
- Threat actor
- Affected entities
- Mastra AISupply chain compromised; 140+ npm packages affected
Microsoft has linked a recent supply chain attack targeting Mastra AI to the North Korean hacking group Sapphire Sleet, also known as BlueNoroff. The attack compromised more than 140 npm packages, indicating a significant breach of the JavaScript/Node.js ecosystem.\n\nThe compromise of Mastra AI's supply chain represents a serious threat to developers and organizations relying on affected npm packages. With over 140 packages impacted, the attack has broad potential reach across the npm ecosystem and AI/ML development communities.\n\nMicrosoft's attribution to a state-sponsored North Korean actor suggests this was a targeted, sophisticated operation rather than opportunistic malware distribution.
Indicators of compromise
- Packages
- Mastra AI npm packages (140+ affected, specific names not listed in source)
Remediation
- Audit all dependencies on affected Mastra AI npm packages immediately
- Update to patched versions of all compromised packages once available
- Review npm package integrity and verify package signatures
- Monitor for suspicious activity in projects using Mastra AI packages
- Consider implementing additional supply chain security controls and package verification mechanisms
Sources
- Microsoft links Mastra AI supply chain attack to North Korean hackers · BleepingComputer
Cite this entry
"Microsoft links Mastra AI supply chain attack to North Korean hackers." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 20, 2026; last updated June 20, 2026. https://supplychainattack.org/incident/microsoft-links-mastra-ai-supply-chain-attack-to-north-korean-hackers-18qpwu
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activecritical
Mastra npm Supply Chain Attack: 140+ Packages Backdoored via easy-day-js Typosquat
On June 17, 2026, an attacker compromised the @mastra npm organization and injected easy-day-js, a typosquat of the popular dayjs library, as a dependency across 140+ packages. The malicious package contained an obfuscated postinstall dropper that downloaded and executed a second-stage payload from attacker-controlled servers before self-deleting. The affected packages had a combined weekly download count exceeding 1.1 million.
npmCompromised packageTyposquattingMalicious maintainer - activecritical
The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave
TeamPCP conducted a multi-ecosystem supply chain compromise targeting the @antv package and associated development infrastructure. The attack leveraged GitHub, NPM, and VSCode to steal credentials and establish persistence mechanisms.
TeamPCPnpmOtherAccount takeoverCompromised packageMalicious maintainer - resolvedcritical
Behind the Scenes: How StepSecurity Detected and Helped Remediate the Largest npm Supply Chain Attack
StepSecurity detected a compromise of axios, described as the largest npm supply chain attack on a single package by download count. A state-sponsored threat actor is reported to have actively suppressed warnings by deleting GitHub issues. Detection occurred before public disclosure.
UNC1069npmCompromised packageMalicious maintainer - activecritical
15 Malicious JetBrains Plugins Stole AI API Keys from 70,000 Developers
A coordinated 8-month supply chain attack compromised 15 malicious JetBrains plugins on the official JetBrains Marketplace, stealing AI API keys from approximately 70,000 developers. The credential-stealing code exfiltrated OpenAI, DeepSeek, and SiliconFlow API keys to an attacker-controlled server in Beijing, which remained operational at the time of disclosure.
OtherCompromised packageMalicious maintainer