North Korean Hackers Blamed for Mastra NPM Supply Chain Attack

A malicious dependency the attackers added to over 140 Mastra packages fetches a payload targeting cryptocurrency extensions. The post North Korean Hackers Blamed for Mastra NPM Supply Chain Attack appeared first on SecurityWeek .

According to Microsoft and multiple security vendors, North Korean threat group Sapphire Sleet compromised over 140 Mastra-related npm packages by injecting a malicious dependency (easy-day-js) into the Mastra AI framework ecosystem.[2][5][8] The malware executed at install time, harvested system data, and targeted more than 160 cryptocurrency-related browser extensions across Windows, macOS, and Linux, exposing developer machines and CI/CD runners to credential theft and persistent compromise.[2][5][7][8] From a CyberSE.AI perspective, this is a critical AI supply chain incident affecting an AI agent/orchestration framework: organizations building or running AI agents on JavaScript/TypeScript stacks must implement SBOM-driven dependency tracking, strict npm lifecycle script controls, and continuous red-teaming of AI build and deployment pipelines.[1][7] Hardening CI/CD for AI workloads, auditing all @mastra/* usage, rotating secrets (including LLM API keys), and institutionalizing AI-focused supply chain governance are practical steps to reduce blast radius from similar future attacks.[1][7]