Loading…

Sapphire Sleet npm supply chain attack: 140+ Mastra packages poisoned with easy-day-js typosquat · Analytical reports · The Intelligence Room

MSTICMicrosoft Security Intelligence2026-06-18

Sapphire Sleet npm supply chain attack: 140+ Mastra packages poisoned with easy-day-js typosquat

North Korean state actor Sapphire Sleet compromised ehindero npm maintainer account to inject malicious easy-day-js dependency across 140+ packages, triggering postinstall payload execution on developer workstations and CI/CD pipelines.

Attack Brief

Targetnpm ecosystem; Mastra package scope; dayjs library usersVectornpm account takeover; dependency injection via poisoned package.json; postinstall hook executionAttributionSapphire Sleet (North Korean state actor)

Technical Details

MITRE ATT&CKT1195.001T1195.002T1036.005T1547.013T1140T1571IoCsehindero (compromised npm maintainer account)[email protected]@tutamail.comeasy-day-js (malicious typosquat package)[email protected] (weaponized version)easy-day-js@^1.11.21 (injected dependency constraint)Affectedmastra and @mastra scope packages (140+ affected); versions tagged as latest; postinstall hook execution on npm install / npm update

Impact

Affected OrganisationsAny developer workstation or CI/CD pipeline executing npm install or npm update after poisoned versions publishedSectorsFinancial services (primary Sapphire Sleet targeting)Confirmed DamagePotential exposure of credentials, tokens, build environments, and downstream software integrity; second-stage PowerShell backdoor deployment observed on systems establishing C2 communicationGeographyNorth Korea

Mitigation

Patchesnpm security team removed compromised packages from registryAttacker publish access to @mastra scope revokedWorkaroundsAudit npm_modules for easy-day-js presence; revoke exposed credentials and tokens; review CI/CD pipeline logs for suspicious Node.js execution; implement package pinning and integrity verification; disable TLS bypass indicators in environmentDetectionMicrosoft Defender Antivirus, Microsoft Defender for Endpoint, and Microsoft Defender XDR provide detections for: suspicious Node.js execution, malicious package behavior, reflective code loading, persistence activity, command-and-control communication; advanced hunting queries available for postinstall hook execution patterns and obfuscated dropper signatures

Context

Previous CampaignsSapphire Sleet conducted separate npm supply chain compromise affecting Axios (popular JavaScript HTTP client) in April 2026; infrastructure and post-compromise TTPs consistent with previously documented Sapphire Sleet activity

Source

https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromiseby Microsoft Defender Security Research Team and Microsoft Threat Intelligenceon 2026-06-17T00:00:00Z

Open original →← Back to reports

MSTICMicrosoft Security Intelligence2026-06-18

Sapphire Sleet npm supply chain attack: 140+ Mastra packages poisoned with easy-day-js typosquat