A dormant npm account handed Sapphire Sleet the keys to the entire @mastra scope on June 17. The North Korean state hacking group, also known as BlueNoroff, published malicious updates across 140 packages, including @mastra/core, which pulls 4 million downloads a month.
The attack exploited “ehindero,” a dormant maintainer account with scope-wide publish rights that was never revoked. Attackers injected a single dependency into every package: “easy-day-js,” a typosquat of the widely used dayjs date library. When developers ran npm install, a postinstall hook fired, disabled TLS verification, pulled a second-stage payload from attacker-controlled servers, and spawned it as a hidden background process. The implant then checked for 166 cryptocurrency wallet browser extensions, including MetaMask, Phantom, and Coinbase Wallet, while harvesting credentials, API keys, and auth tokens across Windows, Linux, and macOS.
Any CI/CD pipeline that ran npm install after June 17 was potentially exposed, regardless of whether you explicitly imported an affected package. Transitive exposure, no direct opt-in required.
Microsoft attributed the attack with high confidence to Sapphire Sleet on June 19, citing shared PowerShell backdoors, C2 infrastructure, and persistence tradecraft from prior campaigns. Sapphire Sleet ran the same playbook against the Axios HTTP client in April 2026. Two npm supply chain attacks in eight weeks, same group, same mechanism. If npm still doesn’t expire stale publish permissions after inactivity, this pattern continues.
npm removed the compromised packages and revoked scope access. But anyone who installed between June 17 and removal needs to rotate API keys and auth tokens now. Then audit every npm package your team publishes: who has maintainer rights, when did they last push, and does that dormant account have 2FA?
— Nathan Zakhary