Sapphire Sleet Mastra npm supply-chain campaign
Campaign
Summary
Hide ▲
Show ▼
The Mastra AI supply-chain campaign was attributed to Sapphire Sleet / BlueNoroff, putting more than 140 npm packages and developer endpoints at risk of credential and crypto-wallet theft. Attackers compromised the npm maintainer account "ehindero" and used its publishing privileges to push malicious updates into the @mastra scope. Those updates injected easy-day-js, which ran a postinstall hook, contacted attacker-controlled C2 infrastructure, and downloaded a second-stage payload. The resulting stealer targeted Windows, Linux, and macOS systems and checked for 166 cryptocurrency wallet extensions.
Related Happenings
Mastra @mastra/* npm packages hit by network compromise
Incident
H score42
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
How related:
According to Microsoft, the attack began when threat actors compromised the npm maintainer account "ehindero," which had publishing privileges across the Mastra package environment.
About this happening:
**Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Mastra @mastra/* npm packages hit by network compromise
IncidentHow related: According to Microsoft, the attack began when threat actors compromised the npm maintainer account "ehindero," which had publishing privileges across the Mastra package environment.
About this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Latest development: 20.06.2026 17:09
Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.
Easy-day-js Mastra package-publishing campaign
Campaign
H score30
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
Easy-day-js Mastra package-publishing campaign
CampaignAbout this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
AUR package-hijacking campaign delivering atomic-lockfile
Campaign
H score11
First: 12.06.2026 20:03
Last: 12.06.2026 20:03
Sources 1
About this happening:
**AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...
AUR package-hijacking campaign delivering atomic-lockfile
CampaignAbout this happening: **AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...
IronWorm npm supply-chain infection and self-propagation
Malware Activity
H score15
First: 04.06.2026 18:25
Last: 04.06.2026 18:25
Sources 1
About this happening:
**IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
IronWorm npm supply-chain infection and self-propagation
Malware ActivityAbout this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
Miasma GitHub and npm supply-chain campaign
Campaign
H score26
First: 02.06.2026 00:38
Last: 02.06.2026 00:38
Sources 1
About this happening:
The **Miasma** supply-chain campaign has expanded into a new **PyPI** branch called **Hades**, with **37 malicious wheel artifacts** across **19 packages**. The compromised releas...
Miasma GitHub and npm supply-chain campaign
CampaignAbout this happening: The **Miasma** supply-chain campaign has expanded into a new **PyPI** branch called **Hades**, with **37 malicious wheel artifacts** across **19 packages**. The compromised releas...
Latest development: 05.06.2026 21:05
A new Miasma wave is linked to 57 compromised npm packages across more than 286 malicious versions, with malicious installs abusing a 157-byte binding.gyp file for code execution during npm install and then staging additional payloads that inject persistent backdoor files into project repositories and target AI-assisted IDE workflows.
Timeline
-
19.06.2026 03:00 2 articles · 1d ago
Microsoft attributes Mastra AI npm supply-chain compromise to Sapphire Sleet
Attribution UpdateMicrosoft attributed the Mastra AI supply-chain compromise affecting more than 140 npm packages to Sapphire Sleet, also known as BlueNoroff, and said attackers compromised the npm maintainer account "ehindero" to publish malicious updates across the @mastra scope. The poisoned packages injected easy-day-js, a typosquat of dayjs, and the install chain deployed a cross-platform stealer aimed at credentials, API keys, authentication tokens, and cryptocurrency wallets on Windows, Linux, and macOS systems.
Show sources
- Microsoft links Mastra AI supply chain attack to North Korean hackers — www.bleepingcomputer.com — 20.06.2026 17:09
- Microsoft links Mastra AI supply chain attack to North Korean hackers — www.bleepingcomputer.com — 20.06.2026 17:09