North Korean Hackers Abuse Mastra npm Supply Chain to Target Developers and CI/CD Pipelines
North Korean hackers have turned a widely used developer tool into a weapon, quietly poisoning more than 140 software packages that developers across the world rely on every day.
The campaign is sophisticated, stealthy, and far-reaching, raising urgent questions about the safety of the open-source supply chain.
The attack targeted the Mastra ecosystem on the npm registry, a package manager used by millions of developers to build JavaScript applications.
The threat actor gained access to a legitimate account and pushed malicious code into over 140 packages at once, meaning any developer or automated build system that ran a standard install command was potentially exposed without any warning.
Analysts at Microsoft said in a report shared with Cyber Security News (CSN) that they identified the compromise through unusual publishing patterns on the Mastra package.
The team traced the intrusion back to Sapphire Sleet, a North Korean state-sponsored group known for targeting the finance and cryptocurrency sectors since at least March 2020.
The attack began with the takeover of the ehindero npm maintainer account, which held publish rights across the entire Mastra package scope.
The attacker then introduced a fake package called easy-day-js, built to impersonate the popular dayjs library that sees over 57 million downloads each week.
From there, every compromised Mastra package was updated to pull in easy-day-js as a new dependency, expanding the attack’s reach instantly.
What made this especially dangerous is that the malicious code ran automatically the moment a developer installed any affected package, even if they never directly used it in their own application code.
That single design choice put developer workstations, build servers, and automated CI/CD pipelines all at risk at the same time.
North Korean Hackers Abuse Mastra npm Supply Chain
The attack followed a clever two-phase delivery strategy. First, a clean version of easy-day-js was published to establish the package as legitimate on the registry.
The next day, a weaponized version was released that added a hidden postinstall hook, a script that fires automatically whenever the package is installed.
That hook executed an obfuscated dropper script, bypassed standard security certificate checks, and reached out to attacker-controlled servers to fetch a second-stage payload.
The payload was then launched as a silent background process, making it hard to spot during a normal development session. The second-stage implant was a fully featured tasking client capable of running arbitrary commands sent by the attackers at any time.
On Windows systems, the implant went further by injecting code directly into memory without writing files to disk, a technique that helps it evade many traditional security tools.
It collected installed applications, browser extensions tied to cryptocurrency wallets, and browsing history before sending everything back to the attackers.
Sapphire Sleet then delivered a separate PowerShell backdoor on high-value targets, granting persistent and elevated access to compromised machines.
Persistence, Exfiltration, and Defense Evasion
Once inside a system, the implant made itself hard to remove by installing persistence across all three major operating systems.
On Windows it used a registry Run key, on macOS a LaunchAgent, and on Linux a systemd service, all disguised under names that mimic legitimate Node.js tools to blend into a developer’s normal environment.
The backdoor added a Microsoft Defender exclusion to suppress detection and registered a service that loads a malicious file on every system boot.
It also set up a persistence loader that fetches fresh payloads from the attackers on every login, letting them silently swap out code without touching the endpoint.
Collected data was sent back using a spoofed legacy browser identity to avoid triggering network-based security alerts.
Microsoft recommends that developers review their dependency trees for any affected Mastra packages and check for easy-day-js in their project files.
Running npm install with the –ignore-scripts flag prevents postinstall hooks from running automatically. Teams should also rotate credentials or API keys present on potentially exposed systems and block the attacker-controlled IP addresses at the network perimeter.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 23.254.164.92 | Primary C2 server |
| IP Address | 23.254.164.123 | Secondary C2 address (from deobfuscated strings) |
| URL | https[:]//23[.]254[.]164[.]92:8000/update/49890878 | Payload download endpoint |
| Domain | teams[.]onweblive[.]org | Post-compromise PowerShell backdoor delivery domain |
| URL | https[:]//teams[.]onweblive[.]org/api/update/8555575039/4 | Post-compromise PowerShell backdoor download endpoint |
| Domain | maskasd[.]com | Post-compromise C2 beacon domain |
| URL | https[:]//maskasd[.]com/8555575039 | Post-compromise C2 beacon endpoint |
| SHA-256 | B122A9873BEDF145AE2A7FD024B5F309007DBB025149F4DC4AC3F7E4F32A36A4 | setup.cjs (malicious postinstall dropper) |
| SHA-256 | AE70DD4F6BC0D1C8C2848E4E6B51934626C4818DCB5AF99D080DDBD7DC337185 | easy-day-js-1.11.22.tgz (weaponized tarball) |
| SHA-256 | 4A8860240E4231C3A74C81949BE655A28E096A7D72F38FBE84E5B37636B98417 | easy-day-js-1.11.21.tgz (clean bait tarball) |
| SHA-256 | B73DE25C053C3225A077738A1FCBD9CA6966D7B3CD6F5494A30F0AA0EAE55C7E | mastra-1.13.1.tgz (compromised CLI tarball) |
| SHA-256 | 221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badf | protocol.cjs |
| SHA-256 | 50eae63d3e24be9ca8803f4b5a0408aef97ee3fab7af018d8c2dde7c359edd65 | Downloader and backdoor PowerShell script |
| SHA-256 | 1d1bf5e8c1539d2f05b1429235b8f4990f87036774be95157b315a7803dd5526 | Second-stage PowerShell script |
| File Artifact | $TMPDIR/.pkg_history | Contains the install path of the compromised package |
| File Artifact | $TMPDIR/.pkg_logs | Contains XOR 0x80 encoded string “easy-day-js” |
| File Artifact | <homedir>/<random_hex>.js | Downloaded second-stage payload |
| npm Package | easy-day-js | Malicious typosquat of dayjs |
| npm Account | sergey2016 | Publisher of easy-day-js |
| npm Account | ehindero | Compromised publisher of 140+ Mastra packages |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post North Korean Hackers Abuse Mastra npm Supply Chain to Target Developers and CI/CD Pipelines appeared first on Cyber Security News.
Tushar Subhra Dutta
Go to cyber-security-news