In a significant cybersecurity revelation, researchers have attributed a recent supply chain attack targeting Mastra, an open-source TypeScript framework designed for developing AI-driven applications and agents, to North Korean hackers. This assessment was made public by the Microsoft Defender Security Research Team and Microsoft Threat Intelligence on June 19, where they confidently linked the attack to a group known as Sapphire Sleet.
The findings indicate that Sapphire Sleet, which is a moniker given to this particular North Korean state-sponsored actor by Microsoft, has a track record of focusing primarily on financial institutions. The researchers noted that the methodologies and infrastructure utilized in the Mastra attack mirrored previously documented activities associated with Sapphire Sleet, reinforcing the connection. This group is also recognized by various cybersecurity researchers under different names, including APT38, BlueNoroff, Stardust Chollima, and TA444.
According to Microsoft, the attack, described as a large-scale npm supply chain compromise, affected more than 140 packages within the Mastra scopes hosted on npm registry, the largest global repository for open-source JavaScript code. This strategic targeting aimed to destabilize developers who rely on these packages for their projects.
The security incident stemmed from the unauthorized takeover of an npm maintainer account. This account’s publishing privileges were misused to upload manipulated versions of the Mastra code, including a malicious dependency labeled easy-day-js. The inclusion of this nefarious code allowed the malware to disable Transport Layer Security (TLS) certificate verifications, creating a vulnerability that enabled the infected systems to communicate with an attacker-controlled command-and-control (C2) server. Subsequently, this server distributed a malware payload that could be executed on a range of operating systems, including Windows, macOS, and Linux.
The dual objectives of the attack seem to focus primarily on cryptocurrency theft, a common goal in many cyber operations linked to North Korea. The malware was designed to scan for and identify specific cryptocurrency wallet browser-extension IDs, which notably included popular platforms like MetaMask, Phantom, Coinbase Wallet, and Binance Wallet, among others.
Additionally, the malware exhibited capabilities to collect a variety of information, including browser history and detailed reconnaissance data associated with the infected system. This data could encompass information about the hostname, system architecture, platform, user ID, installed applications, and currently running processes, providing the attackers with a comprehensive understanding of the target environment.
While Microsoft has not elaborated on the specific methods through which the privileged accounts were compromised, they noted that Sapphire Sleet has a history of employing social engineering tactics in their attacks. These methods have often involved leveraging platforms like LinkedIn to exploit individuals within the financial, blockchain, and cryptocurrency sectors, making the group adept at identifying and targeting vulnerable users.
In light of this recent attack, Microsoft has issued several recommendations to help organizations safeguard against similar threats in the future. They have advised users to meticulously review their dependency trees for any direct or transitive usage of affected Mastra packages. Furthermore, organizations are encouraged to check for the presence of the compromised package, easy-day-js, within their project directories, specifically in files such as node_modules or package-lock.json.
Additionally, Microsoft recommends pinning known-good package versions whenever feasible. For Mastra users, it is critical to note that version 1.13.0 and earlier are confirmed to be unaffected, while for the @mastra/core package, version 1.42.0 and earlier remain secure.
As the cybersecurity landscape continues to evolve, the implications of this attack extend beyond just technical vulnerabilities. They embody a broader trend where state-sponsored hackers are increasingly targeting critical infrastructure, fintech innovations, and the burgeoning blockchain domain. Organizations are thus urged to remain vigilant and proactive in their cybersecurity posture to counteract the growing threats posed by sophisticated adversaries like Sapphire Sleet.