Full Report
Microsoft assesses with high confidence that the Mastra npm supply chain compromise is attributable to Sapphire Sleet, a North Korean state actor that primarily targets the financial sector. The infrastructure and post-compromise TTPs observed in this campaign are consistent with previously documented Sapphire Sleet activity. Sapphire Sleet also conducted a separate npm supply chain compromise affecting Axios,…
Analysis Summary
# Threat Actor: Sapphire Sleet
## Attribution & Identity
**Sapphire Sleet** is a North Korean state-sponsored threat actor. Microsoft assesses with high confidence that this group is responsible for the Mastra npm supply chain compromise. The group is historically known for targeting the financial and cryptocurrency sectors to generate revenue for the North Korean regime.
## Activity Summary
- **Mastra Campaign (June 2026):** A large-scale supply chain attack affecting over 140 packages across the `mastra` and `@mastra` scopes on the npm registry. The actor hijacked a maintainer account to publish poisoned package versions.
- **Axios Compromise (April 2026):** A separate supply chain attack targeting the popular JavaScript HTTP client `axios`.
- **General Operations:** Frequent use of npm registry poisoning and typosquatting to infiltrate development environments.
## Tactics, Techniques & Procedures
- **Account Takeover:** Gained unauthorized access to the `ehindero` npm maintainer account to weaponize legitimate ecosystems.
- **Typosquatting:** Published `easy-day-js`, a malicious clone of the popular `dayjs` library.
- **Staged Delivery:** Utilized a "clean bait" version of packages first to avoid initial detection, followed by rapid publication of weaponized versions.
- **Malicious Postinstall Hooks:** Used npm `postinstall` scripts to trigger automated execution of payloads upon package installation.
- **Evasion & Obfuscation:**
- Used obfuscated dropper scripts.
- Disabled Transport Layer Security (TLS) certificate verification to facilitate communication with malicious infrastructure.
- Executed second-stage payloads as detached, hidden processes.
- **MITRE ATT&CK Mapping (Inferred from text):**
- **T1195.001:** Supply Chain Compromise: Compromise Software Dependencies and Development Tools
- **T1078:** Valid Accounts
- **T1566.003:** Phishing: Spearphishing Service (implied for account takeover)
- **T1059.007:** Command and Scripting Interpreter: JavaScript
- **T1562.001:** Impair Defenses: Disable or Modify Tools (TLS verification)
## Targeting
- **Sectors:** Primarily Financial and Cryptocurrency; also targeting the broader Software Development ecosystem.
- **Geography:** Global (via npm registry), with a focus on entities aligned with North Korean strategic interests.
- **Victims:**
- Users of the `mastra` and `@mastra` npm scopes.
- Users of the `axios` HTTP client (April 2026).
- Maintainers of the `ehindero` account.
## Tools & Infrastructure
- **Malware:**
- `easy-day-js` (Typosquatted malicious package).
- Obfuscated second-stage droppers and payloads.
- **Infrastructure:**
- Attacker-controlled Command-and-Control (C2) servers (specific IPs/URLs defanged in original report but not detailed in the provided text).
- **Defanged Reference:** npmjs[.]com (Registry used for distribution).
## Implications
Sapphire Sleet’s shift toward targeting fundamental development building blocks (like Axios and Mastra) represents a strategic move to compromise "downstream" financial applications at the source. By infiltrating the dev-ops pipeline, the actor achieves high-privilege access to corporate environments, bypassing traditional perimeter defenses.
## Mitigations
- **MFA Enforcement:** Mandatory Multi-Factor Authentication for all npm maintainers and developers to prevent account takeovers.
- **Dependency Auditing:** Utilize tools like `npm audit` and Socket to detect malicious postinstall scripts and typosquatted dependencies.
- **Script Restrictions:** Configure npm to run with `--ignore-scripts` by default in CI/CD environments to prevent `postinstall` payload execution.
- **TLS Monitoring:** Monitor for internal systems attempting to bypass TLS certificate verification, as this is a specific hallmark of Sapphire Sleet’s droppers.