Sapphire Sleet: 144 npm Packages Backdoored
2026-06-24 • Decryption Digest •
https://www.decryptiondigest.com/blog/sapphire-sleet-mastra-npm-supply-chain-attack
Sapphire Sleet compromised the `ehindero` npm maintainer account and injected the malicious `[email protected]` dependency into 144 Mastra AI npm packages during an 88-minute window on June 17, 2026. The postinstall hook executed an obfuscated JavaScript dropper that downloaded a cross-platform tasking client, established persistence on Windows, macOS, and Linux, and polled attacker infrastructure for commands. The payload targeted 166 browser cryptocurrency wallet extensions and exposed browser data, secrets, tokens, and CI/CD environment credentials. Microsoft attributed the Mastra supply-chain compromise to Sapphire Sleet, a North Korean group focused on cryptocurrency theft and developer toolchains.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | b73de25c053c3225a077738a1fcbd9c… | 2026-06-17 | 2026-06-24 |
| HASH | ae70dd4f6bc0d1c8c2848e4e6b51934… | 2026-06-17 | 2026-06-24 |
| HASH | b122a9873bedf145ae2a7fd024b5f30… | 2026-06-17 | 2026-06-24 |
| DOMAIN | maskasd.com | 2026-06-17 | 2026-06-24 |
| DOMAIN | teams.onweblive.org | 2026-06-17 | 2026-06-24 |
| IPv4 | 23.254.164.123 | 2026-06-16 | 2026-06-24 |
| IPv4 | 23.254.164.92 | 2026-06-16 | 2026-06-24 |