Microsoft Threat Intelligence attributed a sophisticated npm supply chain attack to Sapphire Sleet, a North Korean state actor also tracked as BlueNoroff and APT38, on June 19, 2026. The group compromised a contributor account to Mastra, a TypeScript AI agent framework, and used it to publish malicious updates across 144 packages in the @mastra npm scope within an 88-minute window. The malware targeted LLM API keys, cloud credentials, and cryptocurrency wallets — assets directly aligned with the group’s longstanding financial collection mandate.
Context: Sapphire Sleet’s Expanding Attack Surface
Sapphire Sleet is North Korea’s financially-motivated cyber operation, subordinate to the Lazarus Group cluster and historically associated with targeting cryptocurrency exchanges, blockchain firms, and financial technology companies. Its operational history includes the $625 million Ronin Network breach in 2022, large-scale fake job recruitment campaigns against fintech and crypto employees, and, more recently, infiltration of developer tooling supply chains.
The Mastra attack follows an earlier Sapphire Sleet supply chain operation against the Axios HTTP client in March 2026. Microsoft assesses these incidents as a documented campaign rather than isolated events. The attack vector is consistent across both: social engineering against a package maintainer or contributor, account compromise, and rapid injection of malicious postinstall hooks before npm’s security scanning can respond.
In the Mastra case, the compromised account belonged to a current Mastra employee. The initial access vector was a LinkedIn-delivered social engineering lure that prompted the employee to execute a payload from an attacker-controlled link. The subsequent account takeover took place off npm entirely; the publishing spree was the final step.
The Technical Mechanism
Once Sapphire Sleet controlled the maintainer account, they pushed updates containing a typosquatted dependency, easy-day-js, mimicking the widely-used dayjs library. The malicious package executed a postinstall hook: an obfuscated script that disabled TLS verification, connected to attacker-controlled command-and-control infrastructure, downloaded a second-stage cross-platform payload, and persisted via OS-specific mechanisms (registry Run keys on Windows, LaunchAgents on macOS, systemd services on Linux). The payload enumerated 166 cryptocurrency wallet browser extensions alongside browser stored credentials, environment variables, and running processes.
Every developer who ran npm install against an affected @mastra package during the exposure window became a potential collection target.
Sector Implications
The primary financial exposure is in AI development environments where LLM API credentials, cloud provider keys (AWS, GCP, Azure), and cryptocurrency assets coexist in the same developer environment. This is the attack surface Sapphire Sleet is optimising for: AI developers often hold high-value API billing credentials alongside direct cryptocurrency exposure, in environments with less mature security tooling than their enterprise counterparts.
For financial institutions and asset managers exploring or deploying AI agent tooling, this incident highlights a direct path from developer workstation compromise to production credential theft. AI agent frameworks are increasingly integrated into workflows that carry financial and sensitive operational data; supply chain integrity for these dependencies is now a financial crime risk surface, not only a software security concern.
Recommended Actions
Rotate credentials immediately if your development environment used any @mastra npm packages between mid-June and June 17, 2026. Prioritise LLM API keys (OpenAI, Anthropic, Google, Mistral), cloud provider credentials, and cryptocurrency wallet seed phrases accessible from affected machines.
Audit npm dependency trees for the @mastra scope and remove or pin packages to verified clean versions published after June 19, 2026. npm has removed the malicious package versions from the registry; the risk is from cached installs in CI/CD pipelines and developer machines that ran npm install during the window.
Review developer workstation security posture for AI development teams: restrict browser-stored credential access, enforce device management controls, and audit environment variable handling in CI pipelines. Social engineering targeting software developers is a persistent and effective Sapphire Sleet tactic.
Enable npm provenance verification where supported and implement lockfile integrity checks in CI to detect unexpected dependency additions between approved builds.