Security / Jun 20, 2026 / 7 min
North Korea Backdoored 143 npm Packages in the Mastra Framework
On June 17, North Korean hackers backdoored every package in the Mastra agent framework's npm scope — and on June 19, Microsoft attributed the attack to Sapphire Sleet, a state actor that primarily targets the financial sector.
On June 17, between 1:15 and 2:00 a.m. UTC, an attacker used a dormant npm maintainer account to republish all 143 packages in the @mastra scope — the open-source agent framework used by thousands of AI developers — each seeded with a malicious dependency that executed on install. Two days later, Microsoft attributed the campaign to Sapphire Sleet, a North Korean state-sponsored group that primarily targets the financial sector. The payload didn't wait for anyone to run an agent. It fired during npm install, disabled TLS verification, downloaded a second-stage stealer from attacker-controlled servers, and hunted for 166 cryptocurrency wallet extensions. Any developer workstation or CI/CD pipeline that pulled a compromised version during the exposure window is a potential breach.
Why this matters now: Agent frameworks are becoming critical infrastructure. Attackers have noticed — and they're not hacking models. They're hacking the pipes.
The attack, in 45 minutes:
- The foothold was a stale credential. The npm account
ehinderobelonged to a real former Mastra contributor whose publish access was never revoked after going dormant in early 2025. - On June 16, a coordinating account (
sergey2016) publishedeasy-day-js— a typosquat of the legitimatedayjslibrary (57 million weekly downloads). Version 1.11.21 was clean bait. Version 1.11.22, published minutes before the mass rollout on June 17, added apostinstallhook. - On June 17, the attacker republished the entire @mastra scope — 139 scoped packages plus
mastra,create-mastra, andmastracode— each pinningeasy-day-js@^1.11.21, which semver-resolved to the weaponized 1.11.22. - Legitimate Mastra releases carry SLSA provenance attestations. Every malicious version dropped them entirely.
What the malware did:
- Microsoft's deobfuscation of the dropper reveals a five-step sequence: disable TLS certificate validation, write tracking markers to the temp directory, fetch a ~41 KB cross-platform implant from
23.254.164.92:8000, spawn it as a hidden detached Node.js process, and enter a persistent C2 poll loop. - The second-stage payload fingerprints the host — installed applications, browser histories, running processes — and checks for 166 crypto wallet browser extensions, including MetaMask, Phantom, Coinbase Wallet, Binance Wallet, and TronLink.
- On Windows, follow-on activity deployed a PowerShell backdoor previously associated with Sapphire Sleet, added Microsoft Defender exclusions, and installed a service granting SYSTEM privileges.
- As Microsoft put it in its June 19 update: "Microsoft assesses with high confidence that this activity is attributable to Sapphire Sleet, a North Korean state actor that primarily targets the financial sector."
The pattern is not new — the target is:
- Sapphire Sleet, also tracked as BlueNoroff, is a North Korean unit known for cryptocurrency theft, fake job offers, malicious browser extensions, and software supply chain compromises.
- The same group conducted a separate npm supply chain attack on the Axios HTTP client in April 2026, per Microsoft.
- Snyk estimates @mastra/core alone pulls roughly 4 million downloads a month, with more than 30 million monthly across the full scope. The blast radius is not niche.
Why agent stacks are the next front:
- Mastra is not a chatbot wrapper. It is an agent orchestration framework — the kind of tooling enterprises are wiring into production workflows right now.
- The attack exploited the weakest link in open-source AI: contributor access that outlives the contributor. No model jailbreak required. No prompt injection. Just a forgotten npm password and an automated publish script that hit 143 packages in under an hour.
- npm has removed the malicious packages and revoked the attacker's publish access. Mastra forward-rolled clean versions. But any machine that ran
npm installduring the window should be treated as a host-exposure event — not a dependency bump.
What enterprises should do:
- Audit any project that resolved @mastra packages between June 16–17, 2026.
- Require SLSA provenance or equivalent attestations for AI framework dependencies.
- Revoke maintainer credentials when contributors leave — the ehindero account sat dormant for months with full scope access.
- Treat agent framework installs with the same rigor as production secrets: isolated CI runners, dependency pinning, and postinstall script review.
Convina's view: The AI security conversation has been obsessed with model guardrails, export controls, and hallucination liability — all real, all already in the headlines. This attack is a reminder that the agent economy's most exploitable surface is humbler: the npm account nobody remembered to delete. North Korea didn't need a frontier model to reach crypto wallets inside AI development shops. It needed a stale credential and 45 minutes. Until agent frameworks get the same identity governance enterprises demand for human employees, the supply chain is not a secondary risk. It is the primary one.