Microsoft has attributed a recent Mastra AI supply chain attack that compromised more than 140 npm packages to the North Korean hacking group Sapphire Sleet, also known as BlueNoroff.
This attribution comes after Microsoft first disclosed earlier this week that attackers hijacked an npm maintainer account and used it to publish malicious package updates.
"Microsoft assesses with high confidence that this activity is attributable to Sapphire Sleet, a North Korean state actor that primarily targets the financial sector," the company said in a June 19 update.
According to Microsoft, the attack began when threat actors compromised the npm maintainer account "ehindero," which had publishing privileges across the Mastra package environment.
Using the account, the attackers published malicious updates for more than 140 packages in the @mastra scope that injected a malicious dependency named "easy-day-js". This dependency is a typosquat of the legitimate and widely used dayjs JavaScript library.
