From package to postinstall payload: Inside the Mastra npm supply chain compromise by Sapphire Sleet
Contents
June 19, 2026 update: Microsoft assesses with high confidence that this activity is attributable to Sapphire Sleet, a North Korean state actor that primarily targets the financial sector. The infrastructure and post-compromise TTPs observed in this campaign are consistent with previously documented Sapphire Sleet activity. Sapphire Sleet also conducted a separate npm supply chain compromise affecting Axios, a popular JavaScript HTTP client, in April 2026.
Microsoft Threat Intelligence observed a large-scale npm supply chain attack affecting 140+ packages across the mastra and @mastra scopes on the npm registry. Microsoft shared its findings with the npm security team, the compromised packages have been removed and the attacker’s publish access to the @mastra scope has been revoked. The compromise originated from the takeover of the ehindero npm maintainer account, which had publish rights across the Mastra ecosystem and was used to publish poisoned package versions that introduced easy-day-js, a malicious typosquat of the …
Microsoft Threat Intelligence observed a large-scale npm supply chain attack affecting 140+ packages across the mastra and @mastra scopes on the npm registry. Microsoft shared its findings with the npm security team, the compromised packages have been removed and the attacker’s publish access to the @mastra scope has been revoked. The compromise originated from the takeover of the ehindero npm maintainer account, which had publish rights across the Mastra ecosystem and was used to publish poisoned package versions that introduced easy-day-js, a malicious typosquat of the …
IoC
https://maskasd.com/8555575039
https://23.254.164.92:8000/update/49890878
http://23.254.164.123:443
https://teams.onweblive.org/api/update/8555575039/4
http://23.254.164.92
https://teams.onweblive.org/api/update/8555575039/4|iex
http://maskasd.com
http://23.254.164.123
http://tutamail.com
http://outlook.com
http://teams.onweblive.org
23.254.164.92
23.254.164.123
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
B73DE25C053C3225A077738A1FCBD9CA6966D7B3CD6F5494A30F0AA0EAE55C7E
AE70DD4F6BC0D1C8C2848E4E6B51934626C4818DCB5AF99D080DDBD7DC337185
1d1bf5e8c1539d2f05b1429235b8f4990f87036774be95157b315a7803dd5526
4A8860240E4231C3A74C81949BE655A28E096A7D72F38FBE84E5B37636B98417
50eae63d3e24be9ca8803f4b5a0408aef97ee3fab7af018d8c2dde7c359edd65
221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badf
B122A9873BEDF145AE2A7FD024B5F309007DBB025149F4DC4AC3F7E4F32A36A4
https://23.254.164.92:8000/update/49890878
http://23.254.164.123:443
https://teams.onweblive.org/api/update/8555575039/4
http://23.254.164.92
https://teams.onweblive.org/api/update/8555575039/4|iex
http://maskasd.com
http://23.254.164.123
http://tutamail.com
http://outlook.com
http://teams.onweblive.org
23.254.164.92
23.254.164.123
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
B73DE25C053C3225A077738A1FCBD9CA6966D7B3CD6F5494A30F0AA0EAE55C7E
AE70DD4F6BC0D1C8C2848E4E6B51934626C4818DCB5AF99D080DDBD7DC337185
1d1bf5e8c1539d2f05b1429235b8f4990f87036774be95157b315a7803dd5526
4A8860240E4231C3A74C81949BE655A28E096A7D72F38FBE84E5B37636B98417
50eae63d3e24be9ca8803f4b5a0408aef97ee3fab7af018d8c2dde7c359edd65
221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badf
B122A9873BEDF145AE2A7FD024B5F309007DBB025149F4DC4AC3F7E4F32A36A4