North Korean Hackers Exploit Mastra npm Supply Chain to Target Developers

A supply chain attack attributed to North Korean hackers targeted Mastra, an open-source TypeScript tool for AI applications, compromising over 140 packages on the npm registry. Microsoft Defender Security Research Team identified the attack as the work of Sapphire Sleet, a North Korean state actor, on June 19, 2026. The attackers gained access by taking over an npm maintainer account, allowing them to publish malicious code that disabled TLS certificate verification. The malware aimed to steal cryptocurrency from targeted wallets and gather reconnaissance data from infected machines. This incident raises significant concerns regarding the security of open-source supply chains and the potential impact on developers worldwide. Microsoft has not disclosed the specifics of the account takeover method but noted that social engineering tactics were likely involved. Recommendations for protection have been issued by Microsoft.

Key Points: • Over 140 npm packages in the Mastra ecosystem were poisoned by North Korean hackers. • The attack utilized a compromised npm maintainer account to publish malicious code. • The malware targeted cryptocurrency wallets and gathered sensitive information from infected systems.