3rd Party Risk Management,
Governance & Risk Management
More Than 140 npm Packages Carried Credential-Stealing Code
In a significant breach of cybersecurity, the open-source artificial intelligence framework named Mastra has fallen victim to North Korean hackers, who implanted credential-stealing infostealers within the platform. This incident represents yet another alarming supply-chain attack that targets package managers globally.
Recent analysis from Microsoft pinpoints a group known as BlueNoroff, or Sapphire Sleet, as the main actors behind this breach. This group managed to gain access to a Mastra npm maintainer account and subsequently published malicious versions of over 140 different packages. This compromised campaign has effectively infiltrated software development pipelines that utilize Mastra to develop AI applications and agents, creating potential vulnerabilities for countless organizations reliant on this framework.
Throughout recent months, developers have encountered a series of supply-chain attacks aimed predominantly at JavaScript packages hosted on npm, the package registry under the supervision of Microsoft’s GitHub. Noteworthy instances include the Shai-Hulud attacks, which consisted of a self-replicating worm crafted by TeamPCP, subsequently igniting a wave of copycat campaigns aimed at compromising trusted libraries and packages.
The escalating trend of attacks has compelled GitHub to implement more stringent security measures. Following the Mastra incident, GitHub announced plans to discontinue privileged workflows that allow for checking out and executing code from untrusted pull requests within the newest version of its actions/checkout tool. This move is intended to bolster defenses against future breaches.
Boris Cipot, a Principal Security Engineer at Black Duck—specializing in software supply-chain security—remarked, “The Mastra incident signals a deliberate shift in focus among state-sponsored groups toward AI development frameworks as strategic pathways to breach corporate networks on a large scale.” He emphasized the critical integration of AI toolchains within development workflows, noting their prevalence in CI/CD (Continuous Integration/Continuous Deployment) pipelines that often manage sensitive credentials and access to production systems.
This strategic targeting enables attackers to bypass traditional endpoint compromises, gaining direct access to software supply chains. The actors behind the Mastra attack are affiliated with North Korea’s notorious Lazarus Group. While some Lazarus operations have concentrated on espionage, BlueNoroff is distinctly associated with financially motivated campaigns aimed at generating revenue for the North Korean regime.
Previously, this group successfully employed social engineering tactics on platforms like LinkedIn to pilfer cryptocurrency. However, in recent months, they have pivoted their focus toward software supply-chain attacks, chiefly targeting technology and intellectual property linked to cryptocurrency trading and blockchain platforms.
In April, a related npm supply-chain compromise was noted, where the popular JavaScript HTTP client Axios was affected. Given the unique techniques, tactics, and procedures (TTPs) exhibited, Microsoft Threat Intelligence confidently attributed the Mastra attack to BlueNoroff.
The initial compromise stemmed from the hijacking of the ehindero npm maintainer account, which held publishing rights across the Mastra ecosystem. This allowed the attackers to disseminate compromised package versions, including a malicious version named easy-day-js—a typosquatting variant of the legitimate dayjs library. Mastra relies on dayjs for functionalities related to date and time management and sees significant usage, with over 59 million downloads in the previous week alone.
Developers and CI/CD pipelines automatically integrated these compromised versions into their projects, executing a postinstall hook that disabled Transport Layer Security (TLS) verification, planted tracking markers, and established communication with command and control infrastructures managed by the attackers.
As a result, a Node.js backdoor was executed, which profiled the infected systems and absconded with valuable assets such as credentials, cryptocurrency wallet information, and browser data. In cases where command and control communication was firmly established, the hackers were able to deploy a PowerShell backdoor, enhancing persistence within compromised environments.
Shane Barney, Chief Information Security Officer at zero trust platform Keeper Security, highlighted the inherent risks of postinstall hooks executing without scrutiny. If long-lived tokens, cloud keys, or API credentials are present in the build environment, attackers can exploit these vulnerabilities without needing further footholds. He urged that secrets should not persist in building environments beyond the scope of immediate jobs, advocating for least-privilege access which is ephemeral by design.
In response to this evolving threat landscape, GitHub announced a new default protection against a persistent GitHub Action supply-chain risk dubbed “pwn request.” This feature is designed to prevent the exploitation of privileged CI/CD workflows by malicious code from external pull requests to safeguard secrets and protect main repositories.
While this update by GitHub addresses one dimension of the ongoing risks associated with supply-chain vulnerabilities, experts like Cipot stress the necessity for organizations to implement additional controls to mitigate the impact of malicious package updates. This includes strategies such as strict version locking, which requires a formal review process to approve dependency upgrades rather than allowing automatic integration of new package versions.
Furthermore, routing software dependencies through an internal artifact proxy can serve to delay access, creating a critical window during which potentially harmful releases can be identified, flagged, and removed before they infiltrate internal environments.