North Korean Hackers Target Developers With Mastra npm Supply Chain Attack

Key Takeaways

• North Korean state-sponsored hackers, identified as Sapphire Sleet, launched a sophisticated supply chain attack targeting the npm registry’s Mastra ecosystem.
• Over 140 developer packages were compromised by injecting a malicious dependency, easy-day-js, affecting developers and CI/CD pipelines globally.
• The attack leverages an automatic “postinstall” script to deploy a multi-platform backdoor, exfiltrate sensitive data (including cryptocurrency wallet extensions), and establish persistent access.
• The threat actor utilized stealthy techniques like memory injection and obfuscation to evade detection, highlighting the critical need for enhanced supply chain security.

North Korean Hackers Exploit Mastra npm Supply Chain in Targeted Developer Attack

A North Korean state-sponsored hacking group, known as Sapphire Sleet, has orchestrated a wide-ranging supply chain attack, compromising over 140 software packages within the npm registry’s Mastra ecosystem. This sophisticated campaign, which involved injecting malicious code into developer tools used globally, poses significant questions about the security posture of the open-source supply chain, according to a detailed analysis.

The attack specifically targeted the Mastra package family on the npm registry, a critical package manager relied upon by millions of developers for building JavaScript applications. The threat actors gained unauthorized access to a legitimate maintainer account, enabling them to push malicious updates across numerous packages simultaneously. Consequently, any developer or automated build system executing a standard installation command for these packages was immediately exposed to the threat without prior warning.

Microsoft’s security analysts were instrumental in uncovering this compromise, identifying it through unusual publishing patterns associated with the Mastra packages. Their investigation traced the intrusion back to Sapphire Sleet, a North Korean group with a history of targeting financial and cryptocurrency organizations since at least March 2020. Microsoft published its findings in a report shared with Cyber Security News (CSN).

Attack Vector and Initial Compromise

The initial phase of the attack involved the takeover of the ehindero npm maintainer account, which possessed publishing rights across the entire Mastra package scope. Leveraging this access, the attackers introduced a deceptive package named easy-day-js. This package was crafted to mimic the popular dayjs library, which garners over 57 million downloads weekly, aiming to blend in seamlessly with legitimate dependencies.

Following the introduction of the imposter package, every compromised Mastra package was updated to include easy-day-js as a new dependency. This strategic move instantly broadened the attack’s potential reach, embedding the malicious component deep within the dependency trees of various projects.

A particularly dangerous aspect of this attack was the automatic execution of the malicious code. The moment an affected package was installed, the embedded code would run, irrespective of whether the developer explicitly called the package in their application. This design choice simultaneously jeopardized developer workstations, build servers, and automated CI/CD pipelines, demonstrating a comprehensive threat to development environments.

Two-Phase Delivery and Payload Execution

The attackers employed a clever two-phase delivery mechanism for their malicious payload. Initially, a clean, benign version of easy-day-js was published to establish its legitimacy within the npm registry. The following day, a weaponized version was released, incorporating a hidden “postinstall” hook. This script is designed to execute automatically whenever the package is installed, making it an ideal vector for stealthy code injection.

The postinstall hook triggered an obfuscated dropper script, which skillfully bypassed standard security certificate checks. This script then communicated with attacker-controlled servers to retrieve a second-stage payload. Once downloaded, this payload launched as a silent background process, making it exceedingly difficult for developers to detect during routine work. The second-stage implant functioned as a fully capable tasking client, allowing the attackers to execute arbitrary commands remotely at any given time.

On Windows systems, the implant further enhanced its stealth by injecting code directly into memory without writing any files to disk. This fileless technique is a common method for evading traditional endpoint security tools. The malware proceeded to collect a range of sensitive information, including installed applications, browser extensions related to cryptocurrency wallets, and browsing history. All collected data was then exfiltrated back to the attackers. For high-value targets, Sapphire Sleet deployed an additional PowerShell backdoor, securing persistent and elevated access to the compromised machines.

Persistence, Exfiltration, and Defense Evasion

To ensure long-term access, the implant established robust persistence mechanisms across Windows, macOS, and Linux operating systems. On Windows, it utilized a registry Run key; on macOS, a LaunchAgent; and on Linux, a systemd service. All these persistence artifacts were cunningly disguised with names that mimicked legitimate Node.js tools, enabling them to blend seamlessly into a typical developer’s environment and avoid suspicion.

The backdoor also implemented defense evasion tactics, including adding an exclusion to Microsoft Defender to prevent detection. It registered a service that ensured the malicious file loaded with every system boot. Furthermore, a persistence loader was configured to fetch fresh payloads from the attackers upon each login, allowing them to dynamically update their malicious capabilities without direct interaction with the endpoint. Data exfiltration was conducted using a spoofed legacy browser identity, a technique designed to bypass network-based security alerts and remain undetected.

Microsoft advises developers to thoroughly review their project dependency trees for any affected Mastra packages and to specifically check for the presence of easy-day-js in their project files. As a precautionary measure, running npm install with the --ignore-scripts flag can prevent postinstall hooks from executing automatically. Organizations should also rotate credentials and API keys that might have been exposed on compromised systems and implement network-level blocks for the identified attacker-controlled IP addresses.

Indicators of Compromise (IoCs):-

What You Should Do

• Review Dependencies: Immediately audit all project dependencies for any affected Mastra packages and specifically check for the presence of easy-day-js within your package.json or dependency lock files.
• Use --ignore-scripts: When installing npm packages, use the npm install --ignore-scripts flag to prevent automatic execution of postinstall hooks, which can be a common vector for supply chain attacks.
• Rotate Credentials: Assume that any credentials or API keys present on systems that may have been exposed are compromised. Rotate these immediately.
• Block Malicious Infrastructure: Implement network perimeter blocks for the attacker-controlled IP addresses and domains identified in the IoCs section.
• Enhance Endpoint Monitoring: Deploy and maintain robust endpoint detection and response (EDR) solutions to monitor for suspicious activity, especially fileless execution and unusual outbound network connections.
• Implement Software Supply Chain Security: Adopt practices such as dependency scanning, integrity checks, and multi-factor authentication for all developer accounts and package repositories.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.