Sapphire Sleet: 144 npm Packages Backdoored

2026-06-24 Decryption Digest

https://www.decryptiondigest.com/blog/sapphire-sleet-mastra-npm-supply-chain-attack

Thumbnail for Sapphire Sleet: 144 npm Packages Backdoored

Sapphire Sleet compromised the `ehindero` npm maintainer account and injected the malicious `[email protected]` dependency into 144 Mastra AI npm packages during an 88-minute window on June 17, 2026. The postinstall hook executed an obfuscated JavaScript dropper that downloaded a cross-platform tasking client, established persistence on Windows, macOS, and Linux, and polled attacker infrastructure for commands. The payload targeted 166 browser cryptocurrency wallet extensions and exposed browser data, secrets, tokens, and CI/CD environment credentials. Microsoft attributed the Mastra supply-chain compromise to Sapphire Sleet, a North Korean group focused on cryptocurrency theft and developer toolchains.

Indicators of Compromise

Type Value First Seen Last Seen
HASH b73de25c053c3225a077738a1fcbd9c… 2026-06-17 2026-06-24
HASH ae70dd4f6bc0d1c8c2848e4e6b51934… 2026-06-17 2026-06-24
HASH b122a9873bedf145ae2a7fd024b5f30… 2026-06-17 2026-06-24
DOMAIN maskasd.com 2026-06-17 2026-06-24
DOMAIN teams.onweblive.org 2026-06-17 2026-06-24
IPv4 23.254.164.123 2026-06-16 2026-06-24
IPv4 23.254.164.92 2026-06-16 2026-06-24

Related Actors

Related Reports

« Back