{"id":13778,"date":"2026-06-22T10:03:54","date_gmt":"2026-06-22T10:03:54","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/06\/22\/north-korean-hackers-abuse-mastra-npm-supply-chain-to-target-developers-and-ci-cd-pipelines\/"},"modified":"2026-06-22T10:03:54","modified_gmt":"2026-06-22T10:03:54","slug":"north-korean-hackers-abuse-mastra-npm-supply-chain-to-target-developers-and-ci-cd-pipelines","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/06\/22\/north-korean-hackers-abuse-mastra-npm-supply-chain-to-target-developers-and-ci-cd-pipelines\/","title":{"rendered":"North Korean Hackers Abuse Mastra npm Supply Chain to Target Developers and CI\/CD Pipelines"},"content":{"rendered":"<p>    North Korean Hackers Abuse Mastra npm Supply Chain to Target Developers and CI\/CD Pipelines<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">North Korean hackers have turned a widely used developer tool into a weapon, quietly poisoning more than 140 software packages that developers across the world rely on every day. <\/p>\n<p class=\"wp-block-paragraph\">The campaign is sophisticated, stealthy, and far-reaching, raising urgent questions about the safety of the open-source supply chain.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/6cafa9ee-5fbf-4271-9b04-e7c2876456e7\/North-Korean-Hackers-Abuse-Mastra-npm-Supply-Chain-to-Target-Developers-and-CI-CD-Pipelines.pdf?AWSAccessKeyId=ASIA2F3EMEYE7Y6MRWRY&amp;Signature=axlMvCXLm7%2FDxq16vcjEZjTN7HA%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDgaCXVzLWVhc3QtMSJIMEYCIQCGI%2F8HBlC1qGtRYjp9QoF8cFIJUuwvQcC5ixhHLlXYNwIhALkLBDNci6YSwsiPnMjFSr009La%2Fc1xje1tPUdhxlw7EKvMECAEQARoMNjk5NzUzMzA5NzA1Igy3qHn%2Bf5vPCtXSK6Iq0AR4E3VUpicwHLZ4MjHFAx%2FWXp7B0vZ8w9HMs7ff3f8cC%2F6d8B3nRBjuSTNkJOyqRlwExQPmvlBwloNrcyFabwewcQk%2BJDKJ8JKGclQ%2F6mMnApc8lmg5xgGjUF%2BfcLfFimJN716CfTQY5j5AimdABO44Tgxeg7dnXs5hsHpf86hUsBzOuaqh7XqS3lUq42cO57QAhCmYDUzSI3Ae%2ByYs9PVINR5vLjBv3OiYQHB%2Bm4l%2B%2B6AXAvrMn%2BAhIcZ12efxXNl5k3K2iVeCXqtgW5QpGCf3Kll9MZ9ebTIqGs0C5GehEeRr3GcvGzTyM8vOowlhQZ9wj4CImlsDU%2BhUyumS7na9dXbKvFridwsi%2FIlkJtHI7Noakn0%2BLY6UYAiMJF162VCPtfE16kg5Rx3%2BFsuWTYM3wiDMipoZL%2FyZe7FkZHz%2BrXNRtyS5hOyHZf9Kfpjl9%2BhztuLuhHrFZiPmfEp9jJ3J2c1gAcazucGEn%2BUGxtSi8P0d0fsFlKuX49Rmqyb3TRoU4DyMSambvwapHBqTICWJEwyEkAlNUCuFvllAWTs4ns1H73ijTPyJlS%2B6wBZNQEnycoa370ZwoYJxVEXTWSzcyK%2BNAUkZSxyW6sj9%2BQgQ5HV4ETWS%2B1OVMnbruMOiXxpn9%2FUryKR%2FNRiala6qb5btwg4VLZfAHJYOCWn7NLfnJ5DJ43jrCOLdeh4mUL4TTu7oZ5qlwW4rH3pF1pd8ZhVrIDbcU2kQSoYKBQTkuY94MLT5l5ejy%2BMbgsQQTOJljkvOMSWZT9QEuLJXTGlT6SaFMP7K49EGOpcB%2BGnSf%2FAVzssLKnqwibMqfhzRXwn14%2BS31%2BgQdmqlBSLqFnOhuE8oAPknMP3SlLS%2BfaX9lGz7%2B8qREw6IGah6cMf1536nKiE4qjrcjP7T5q0h23PdiO10CURK%2FBWRo1Sh8Shl0qieGAAsHTHGGPL4tr25wWUYIElVp1Qet0CRYc7C7zbNNWt3Dfhy7tgKZ7B2J9Ko7Yir2w%3D%3D&amp;Expires=1782117201\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The attack targeted the Mastra ecosystem on the npm registry, a package manager used by millions of developers to build JavaScript applications. <\/p>\n<p class=\"wp-block-paragraph\">The threat actor gained access to a legitimate account and pushed malicious code into over 140 packages at once, meaning any developer or automated build system that ran a standard install command was potentially exposed without any warning.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/6cafa9ee-5fbf-4271-9b04-e7c2876456e7\/North-Korean-Hackers-Abuse-Mastra-npm-Supply-Chain-to-Target-Developers-and-CI-CD-Pipelines.pdf?AWSAccessKeyId=ASIA2F3EMEYE7Y6MRWRY&amp;Signature=axlMvCXLm7%2FDxq16vcjEZjTN7HA%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDgaCXVzLWVhc3QtMSJIMEYCIQCGI%2F8HBlC1qGtRYjp9QoF8cFIJUuwvQcC5ixhHLlXYNwIhALkLBDNci6YSwsiPnMjFSr009La%2Fc1xje1tPUdhxlw7EKvMECAEQARoMNjk5NzUzMzA5NzA1Igy3qHn%2Bf5vPCtXSK6Iq0AR4E3VUpicwHLZ4MjHFAx%2FWXp7B0vZ8w9HMs7ff3f8cC%2F6d8B3nRBjuSTNkJOyqRlwExQPmvlBwloNrcyFabwewcQk%2BJDKJ8JKGclQ%2F6mMnApc8lmg5xgGjUF%2BfcLfFimJN716CfTQY5j5AimdABO44Tgxeg7dnXs5hsHpf86hUsBzOuaqh7XqS3lUq42cO57QAhCmYDUzSI3Ae%2ByYs9PVINR5vLjBv3OiYQHB%2Bm4l%2B%2B6AXAvrMn%2BAhIcZ12efxXNl5k3K2iVeCXqtgW5QpGCf3Kll9MZ9ebTIqGs0C5GehEeRr3GcvGzTyM8vOowlhQZ9wj4CImlsDU%2BhUyumS7na9dXbKvFridwsi%2FIlkJtHI7Noakn0%2BLY6UYAiMJF162VCPtfE16kg5Rx3%2BFsuWTYM3wiDMipoZL%2FyZe7FkZHz%2BrXNRtyS5hOyHZf9Kfpjl9%2BhztuLuhHrFZiPmfEp9jJ3J2c1gAcazucGEn%2BUGxtSi8P0d0fsFlKuX49Rmqyb3TRoU4DyMSambvwapHBqTICWJEwyEkAlNUCuFvllAWTs4ns1H73ijTPyJlS%2B6wBZNQEnycoa370ZwoYJxVEXTWSzcyK%2BNAUkZSxyW6sj9%2BQgQ5HV4ETWS%2B1OVMnbruMOiXxpn9%2FUryKR%2FNRiala6qb5btwg4VLZfAHJYOCWn7NLfnJ5DJ43jrCOLdeh4mUL4TTu7oZ5qlwW4rH3pF1pd8ZhVrIDbcU2kQSoYKBQTkuY94MLT5l5ejy%2BMbgsQQTOJljkvOMSWZT9QEuLJXTGlT6SaFMP7K49EGOpcB%2BGnSf%2FAVzssLKnqwibMqfhzRXwn14%2BS31%2BgQdmqlBSLqFnOhuE8oAPknMP3SlLS%2BfaX9lGz7%2B8qREw6IGah6cMf1536nKiE4qjrcjP7T5q0h23PdiO10CURK%2FBWRo1Sh8Shl0qieGAAsHTHGGPL4tr25wWUYIElVp1Qet0CRYc7C7zbNNWt3Dfhy7tgKZ7B2J9Ko7Yir2w%3D%3D&amp;Expires=1782117201\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/06\/17\/postinstall-payload-inside-mastra-npm-supply-chain-compromise\/\" id=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/06\/17\/postinstall-payload-inside-mastra-npm-supply-chain-compromise\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Analysts at\u00a0Microsoft\u00a0said in a report<\/a> shared with Cyber Security News (CSN) that they identified the compromise through unusual publishing patterns on the Mastra package. <\/p>\n<p class=\"wp-block-paragraph\">The team traced the intrusion back to Sapphire Sleet, a North Korean state-sponsored group known for targeting the finance and cryptocurrency sectors since at least March 2020.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/6cafa9ee-5fbf-4271-9b04-e7c2876456e7\/North-Korean-Hackers-Abuse-Mastra-npm-Supply-Chain-to-Target-Developers-and-CI-CD-Pipelines.pdf?AWSAccessKeyId=ASIA2F3EMEYE7Y6MRWRY&amp;Signature=axlMvCXLm7%2FDxq16vcjEZjTN7HA%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDgaCXVzLWVhc3QtMSJIMEYCIQCGI%2F8HBlC1qGtRYjp9QoF8cFIJUuwvQcC5ixhHLlXYNwIhALkLBDNci6YSwsiPnMjFSr009La%2Fc1xje1tPUdhxlw7EKvMECAEQARoMNjk5NzUzMzA5NzA1Igy3qHn%2Bf5vPCtXSK6Iq0AR4E3VUpicwHLZ4MjHFAx%2FWXp7B0vZ8w9HMs7ff3f8cC%2F6d8B3nRBjuSTNkJOyqRlwExQPmvlBwloNrcyFabwewcQk%2BJDKJ8JKGclQ%2F6mMnApc8lmg5xgGjUF%2BfcLfFimJN716CfTQY5j5AimdABO44Tgxeg7dnXs5hsHpf86hUsBzOuaqh7XqS3lUq42cO57QAhCmYDUzSI3Ae%2ByYs9PVINR5vLjBv3OiYQHB%2Bm4l%2B%2B6AXAvrMn%2BAhIcZ12efxXNl5k3K2iVeCXqtgW5QpGCf3Kll9MZ9ebTIqGs0C5GehEeRr3GcvGzTyM8vOowlhQZ9wj4CImlsDU%2BhUyumS7na9dXbKvFridwsi%2FIlkJtHI7Noakn0%2BLY6UYAiMJF162VCPtfE16kg5Rx3%2BFsuWTYM3wiDMipoZL%2FyZe7FkZHz%2BrXNRtyS5hOyHZf9Kfpjl9%2BhztuLuhHrFZiPmfEp9jJ3J2c1gAcazucGEn%2BUGxtSi8P0d0fsFlKuX49Rmqyb3TRoU4DyMSambvwapHBqTICWJEwyEkAlNUCuFvllAWTs4ns1H73ijTPyJlS%2B6wBZNQEnycoa370ZwoYJxVEXTWSzcyK%2BNAUkZSxyW6sj9%2BQgQ5HV4ETWS%2B1OVMnbruMOiXxpn9%2FUryKR%2FNRiala6qb5btwg4VLZfAHJYOCWn7NLfnJ5DJ43jrCOLdeh4mUL4TTu7oZ5qlwW4rH3pF1pd8ZhVrIDbcU2kQSoYKBQTkuY94MLT5l5ejy%2BMbgsQQTOJljkvOMSWZT9QEuLJXTGlT6SaFMP7K49EGOpcB%2BGnSf%2FAVzssLKnqwibMqfhzRXwn14%2BS31%2BgQdmqlBSLqFnOhuE8oAPknMP3SlLS%2BfaX9lGz7%2B8qREw6IGah6cMf1536nKiE4qjrcjP7T5q0h23PdiO10CURK%2FBWRo1Sh8Shl0qieGAAsHTHGGPL4tr25wWUYIElVp1Qet0CRYc7C7zbNNWt3Dfhy7tgKZ7B2J9Ko7Yir2w%3D%3D&amp;Expires=1782117201\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The attack began with the takeover of the ehindero npm maintainer account, which held publish rights across the entire Mastra package scope. <\/p>\n<p class=\"wp-block-paragraph\">The attacker then introduced a <a href=\"https:\/\/cybersecuritynews.com\/hackers-use-fake-gemini-npm-package\/\" id=\"146837\" target=\"_blank\" rel=\"noreferrer noopener\">fake package called easy-day-js, built to impersonate the popular dayjs library<\/a> that sees over 57 million downloads each week. <\/p>\n<p class=\"wp-block-paragraph\">From there, every compromised Mastra package was updated to pull in easy-day-js as a new dependency, expanding the attack\u2019s reach instantly.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhhMH91Q_iAWITbY3QXlXK5B-kH0_l0EdLeOAHb8MMShQ6wA7xMsCc0WL3jmrmunGotHwazHeatu7K2HZnQD1FbOXg9w5qgXvgnmyJ4p3_s6XKmW5inltnGE0Bsj-HG3DYuFRkYdoVNKbB1airoK8fkpciNfuPaUJG5S7AFjNNKN4YSGPGMulfVPW5zsvA\/s16000\/End-to-end%2520attack%2520chain%2520%28Source%2520-%2520Microsoft%29.webp?ssl=1\" alt=\"End-to-end attack chain (Source - Microsoft)\"><figcaption class=\"wp-element-caption\">End-to-end attack chain (Source \u2013 Microsoft)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">What made this especially dangerous is that the malicious code ran automatically the moment a developer installed any affected package, even if they never directly used it in their own application code. <\/p>\n<p class=\"wp-block-paragraph\">That single design choice put developer workstations, build servers, and automated CI\/CD pipelines all at risk at the same time.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/6cafa9ee-5fbf-4271-9b04-e7c2876456e7\/North-Korean-Hackers-Abuse-Mastra-npm-Supply-Chain-to-Target-Developers-and-CI-CD-Pipelines.pdf?AWSAccessKeyId=ASIA2F3EMEYE7Y6MRWRY&amp;Signature=axlMvCXLm7%2FDxq16vcjEZjTN7HA%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDgaCXVzLWVhc3QtMSJIMEYCIQCGI%2F8HBlC1qGtRYjp9QoF8cFIJUuwvQcC5ixhHLlXYNwIhALkLBDNci6YSwsiPnMjFSr009La%2Fc1xje1tPUdhxlw7EKvMECAEQARoMNjk5NzUzMzA5NzA1Igy3qHn%2Bf5vPCtXSK6Iq0AR4E3VUpicwHLZ4MjHFAx%2FWXp7B0vZ8w9HMs7ff3f8cC%2F6d8B3nRBjuSTNkJOyqRlwExQPmvlBwloNrcyFabwewcQk%2BJDKJ8JKGclQ%2F6mMnApc8lmg5xgGjUF%2BfcLfFimJN716CfTQY5j5AimdABO44Tgxeg7dnXs5hsHpf86hUsBzOuaqh7XqS3lUq42cO57QAhCmYDUzSI3Ae%2ByYs9PVINR5vLjBv3OiYQHB%2Bm4l%2B%2B6AXAvrMn%2BAhIcZ12efxXNl5k3K2iVeCXqtgW5QpGCf3Kll9MZ9ebTIqGs0C5GehEeRr3GcvGzTyM8vOowlhQZ9wj4CImlsDU%2BhUyumS7na9dXbKvFridwsi%2FIlkJtHI7Noakn0%2BLY6UYAiMJF162VCPtfE16kg5Rx3%2BFsuWTYM3wiDMipoZL%2FyZe7FkZHz%2BrXNRtyS5hOyHZf9Kfpjl9%2BhztuLuhHrFZiPmfEp9jJ3J2c1gAcazucGEn%2BUGxtSi8P0d0fsFlKuX49Rmqyb3TRoU4DyMSambvwapHBqTICWJEwyEkAlNUCuFvllAWTs4ns1H73ijTPyJlS%2B6wBZNQEnycoa370ZwoYJxVEXTWSzcyK%2BNAUkZSxyW6sj9%2BQgQ5HV4ETWS%2B1OVMnbruMOiXxpn9%2FUryKR%2FNRiala6qb5btwg4VLZfAHJYOCWn7NLfnJ5DJ43jrCOLdeh4mUL4TTu7oZ5qlwW4rH3pF1pd8ZhVrIDbcU2kQSoYKBQTkuY94MLT5l5ejy%2BMbgsQQTOJljkvOMSWZT9QEuLJXTGlT6SaFMP7K49EGOpcB%2BGnSf%2FAVzssLKnqwibMqfhzRXwn14%2BS31%2BgQdmqlBSLqFnOhuE8oAPknMP3SlLS%2BfaX9lGz7%2B8qREw6IGah6cMf1536nKiE4qjrcjP7T5q0h23PdiO10CURK%2FBWRo1Sh8Shl0qieGAAsHTHGGPL4tr25wWUYIElVp1Qet0CRYc7C7zbNNWt3Dfhy7tgKZ7B2J9Ko7Yir2w%3D%3D&amp;Expires=1782117201\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-north-korean-hackers-abuse-mastra-npm-supply-chain\" class=\"wp-block-heading\"><strong>North Korean Hackers Abuse Mastra npm Supply Chain<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The attack followed a clever two-phase delivery strategy. First, a clean version of easy-day-js was published to establish the package as legitimate on the registry. <\/p>\n<p class=\"wp-block-paragraph\">The next day, a weaponized version was released that added a hidden postinstall hook, a script that fires automatically whenever the package is installed.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/6cafa9ee-5fbf-4271-9b04-e7c2876456e7\/North-Korean-Hackers-Abuse-Mastra-npm-Supply-Chain-to-Target-Developers-and-CI-CD-Pipelines.pdf?AWSAccessKeyId=ASIA2F3EMEYE7Y6MRWRY&amp;Signature=axlMvCXLm7%2FDxq16vcjEZjTN7HA%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDgaCXVzLWVhc3QtMSJIMEYCIQCGI%2F8HBlC1qGtRYjp9QoF8cFIJUuwvQcC5ixhHLlXYNwIhALkLBDNci6YSwsiPnMjFSr009La%2Fc1xje1tPUdhxlw7EKvMECAEQARoMNjk5NzUzMzA5NzA1Igy3qHn%2Bf5vPCtXSK6Iq0AR4E3VUpicwHLZ4MjHFAx%2FWXp7B0vZ8w9HMs7ff3f8cC%2F6d8B3nRBjuSTNkJOyqRlwExQPmvlBwloNrcyFabwewcQk%2BJDKJ8JKGclQ%2F6mMnApc8lmg5xgGjUF%2BfcLfFimJN716CfTQY5j5AimdABO44Tgxeg7dnXs5hsHpf86hUsBzOuaqh7XqS3lUq42cO57QAhCmYDUzSI3Ae%2ByYs9PVINR5vLjBv3OiYQHB%2Bm4l%2B%2B6AXAvrMn%2BAhIcZ12efxXNl5k3K2iVeCXqtgW5QpGCf3Kll9MZ9ebTIqGs0C5GehEeRr3GcvGzTyM8vOowlhQZ9wj4CImlsDU%2BhUyumS7na9dXbKvFridwsi%2FIlkJtHI7Noakn0%2BLY6UYAiMJF162VCPtfE16kg5Rx3%2BFsuWTYM3wiDMipoZL%2FyZe7FkZHz%2BrXNRtyS5hOyHZf9Kfpjl9%2BhztuLuhHrFZiPmfEp9jJ3J2c1gAcazucGEn%2BUGxtSi8P0d0fsFlKuX49Rmqyb3TRoU4DyMSambvwapHBqTICWJEwyEkAlNUCuFvllAWTs4ns1H73ijTPyJlS%2B6wBZNQEnycoa370ZwoYJxVEXTWSzcyK%2BNAUkZSxyW6sj9%2BQgQ5HV4ETWS%2B1OVMnbruMOiXxpn9%2FUryKR%2FNRiala6qb5btwg4VLZfAHJYOCWn7NLfnJ5DJ43jrCOLdeh4mUL4TTu7oZ5qlwW4rH3pF1pd8ZhVrIDbcU2kQSoYKBQTkuY94MLT5l5ejy%2BMbgsQQTOJljkvOMSWZT9QEuLJXTGlT6SaFMP7K49EGOpcB%2BGnSf%2FAVzssLKnqwibMqfhzRXwn14%2BS31%2BgQdmqlBSLqFnOhuE8oAPknMP3SlLS%2BfaX9lGz7%2B8qREw6IGah6cMf1536nKiE4qjrcjP7T5q0h23PdiO10CURK%2FBWRo1Sh8Shl0qieGAAsHTHGGPL4tr25wWUYIElVp1Qet0CRYc7C7zbNNWt3Dfhy7tgKZ7B2J9Ko7Yir2w%3D%3D&amp;Expires=1782117201\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cybersecuritynews.com\/remcos-rat-infection-chain-hides-behind-obfuscated\/\" id=\"146390\" target=\"_blank\" rel=\"noreferrer noopener\">That hook executed an obfuscated dropper script<\/a>, bypassed standard security certificate checks, and reached out to attacker-controlled servers to fetch a second-stage payload. <\/p>\n<p class=\"wp-block-paragraph\">The payload was then launched as a silent background process, making it hard to spot during a normal development session. The second-stage implant was a fully featured tasking client capable of running arbitrary commands sent by the attackers at any time.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjvQB3i09L7jkVuJ4MwQfvo_fWgAXJwEwFisve1DDcsXevdmMlA1sM7pOKMkOK4Z6fmx2IQ7DTq23dtF6CazdCA_saNc3VDhCXbTVZY7pC2MT31r5Mwpu7aDmV9EBHcsemIu_3vMhbcrjWNKaQ3Tb3GSHEXME5frocZJ6B97SNf8SVkDxZMQCgYNhb1pWA\/s16000\/The%2520obfuscated%2520setup.cjs%2520dropper%2520%28Source%2520-%2520Microsoft%29.webp?ssl=1\" alt=\"The obfuscated setup.cjs dropper (Source - Microsoft)\"><figcaption class=\"wp-element-caption\">The obfuscated setup.cjs dropper (Source \u2013 Microsoft)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">On Windows systems, the implant went further by injecting code directly into memory without writing files to disk, a technique that helps it evade many traditional security tools. <\/p>\n<p class=\"wp-block-paragraph\">It collected installed applications, browser extensions tied to cryptocurrency wallets, and browsing history before sending everything back to the attackers. <\/p>\n<p class=\"wp-block-paragraph\">Sapphire Sleet then delivered a separate PowerShell backdoor on high-value targets, granting persistent and elevated access to compromised machines.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/6cafa9ee-5fbf-4271-9b04-e7c2876456e7\/North-Korean-Hackers-Abuse-Mastra-npm-Supply-Chain-to-Target-Developers-and-CI-CD-Pipelines.pdf?AWSAccessKeyId=ASIA2F3EMEYE7Y6MRWRY&amp;Signature=axlMvCXLm7%2FDxq16vcjEZjTN7HA%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDgaCXVzLWVhc3QtMSJIMEYCIQCGI%2F8HBlC1qGtRYjp9QoF8cFIJUuwvQcC5ixhHLlXYNwIhALkLBDNci6YSwsiPnMjFSr009La%2Fc1xje1tPUdhxlw7EKvMECAEQARoMNjk5NzUzMzA5NzA1Igy3qHn%2Bf5vPCtXSK6Iq0AR4E3VUpicwHLZ4MjHFAx%2FWXp7B0vZ8w9HMs7ff3f8cC%2F6d8B3nRBjuSTNkJOyqRlwExQPmvlBwloNrcyFabwewcQk%2BJDKJ8JKGclQ%2F6mMnApc8lmg5xgGjUF%2BfcLfFimJN716CfTQY5j5AimdABO44Tgxeg7dnXs5hsHpf86hUsBzOuaqh7XqS3lUq42cO57QAhCmYDUzSI3Ae%2ByYs9PVINR5vLjBv3OiYQHB%2Bm4l%2B%2B6AXAvrMn%2BAhIcZ12efxXNl5k3K2iVeCXqtgW5QpGCf3Kll9MZ9ebTIqGs0C5GehEeRr3GcvGzTyM8vOowlhQZ9wj4CImlsDU%2BhUyumS7na9dXbKvFridwsi%2FIlkJtHI7Noakn0%2BLY6UYAiMJF162VCPtfE16kg5Rx3%2BFsuWTYM3wiDMipoZL%2FyZe7FkZHz%2BrXNRtyS5hOyHZf9Kfpjl9%2BhztuLuhHrFZiPmfEp9jJ3J2c1gAcazucGEn%2BUGxtSi8P0d0fsFlKuX49Rmqyb3TRoU4DyMSambvwapHBqTICWJEwyEkAlNUCuFvllAWTs4ns1H73ijTPyJlS%2B6wBZNQEnycoa370ZwoYJxVEXTWSzcyK%2BNAUkZSxyW6sj9%2BQgQ5HV4ETWS%2B1OVMnbruMOiXxpn9%2FUryKR%2FNRiala6qb5btwg4VLZfAHJYOCWn7NLfnJ5DJ43jrCOLdeh4mUL4TTu7oZ5qlwW4rH3pF1pd8ZhVrIDbcU2kQSoYKBQTkuY94MLT5l5ejy%2BMbgsQQTOJljkvOMSWZT9QEuLJXTGlT6SaFMP7K49EGOpcB%2BGnSf%2FAVzssLKnqwibMqfhzRXwn14%2BS31%2BgQdmqlBSLqFnOhuE8oAPknMP3SlLS%2BfaX9lGz7%2B8qREw6IGah6cMf1536nKiE4qjrcjP7T5q0h23PdiO10CURK%2FBWRo1Sh8Shl0qieGAAsHTHGGPL4tr25wWUYIElVp1Qet0CRYc7C7zbNNWt3Dfhy7tgKZ7B2J9Ko7Yir2w%3D%3D&amp;Expires=1782117201\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-persistence-exfiltration-and-defense-evasion\" class=\"wp-block-heading\"><strong>Persistence, Exfiltration, and Defense Evasion<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">Once inside a system, the implant made itself hard to remove by installing persistence across all three major operating systems. <\/p>\n<p class=\"wp-block-paragraph\">On Windows it used a registry Run key, on macOS a LaunchAgent, and on Linux a systemd service, all disguised under names that mimic legitimate Node.js tools to blend into a developer\u2019s normal environment.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/6cafa9ee-5fbf-4271-9b04-e7c2876456e7\/North-Korean-Hackers-Abuse-Mastra-npm-Supply-Chain-to-Target-Developers-and-CI-CD-Pipelines.pdf?AWSAccessKeyId=ASIA2F3EMEYE7Y6MRWRY&amp;Signature=axlMvCXLm7%2FDxq16vcjEZjTN7HA%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDgaCXVzLWVhc3QtMSJIMEYCIQCGI%2F8HBlC1qGtRYjp9QoF8cFIJUuwvQcC5ixhHLlXYNwIhALkLBDNci6YSwsiPnMjFSr009La%2Fc1xje1tPUdhxlw7EKvMECAEQARoMNjk5NzUzMzA5NzA1Igy3qHn%2Bf5vPCtXSK6Iq0AR4E3VUpicwHLZ4MjHFAx%2FWXp7B0vZ8w9HMs7ff3f8cC%2F6d8B3nRBjuSTNkJOyqRlwExQPmvlBwloNrcyFabwewcQk%2BJDKJ8JKGclQ%2F6mMnApc8lmg5xgGjUF%2BfcLfFimJN716CfTQY5j5AimdABO44Tgxeg7dnXs5hsHpf86hUsBzOuaqh7XqS3lUq42cO57QAhCmYDUzSI3Ae%2ByYs9PVINR5vLjBv3OiYQHB%2Bm4l%2B%2B6AXAvrMn%2BAhIcZ12efxXNl5k3K2iVeCXqtgW5QpGCf3Kll9MZ9ebTIqGs0C5GehEeRr3GcvGzTyM8vOowlhQZ9wj4CImlsDU%2BhUyumS7na9dXbKvFridwsi%2FIlkJtHI7Noakn0%2BLY6UYAiMJF162VCPtfE16kg5Rx3%2BFsuWTYM3wiDMipoZL%2FyZe7FkZHz%2BrXNRtyS5hOyHZf9Kfpjl9%2BhztuLuhHrFZiPmfEp9jJ3J2c1gAcazucGEn%2BUGxtSi8P0d0fsFlKuX49Rmqyb3TRoU4DyMSambvwapHBqTICWJEwyEkAlNUCuFvllAWTs4ns1H73ijTPyJlS%2B6wBZNQEnycoa370ZwoYJxVEXTWSzcyK%2BNAUkZSxyW6sj9%2BQgQ5HV4ETWS%2B1OVMnbruMOiXxpn9%2FUryKR%2FNRiala6qb5btwg4VLZfAHJYOCWn7NLfnJ5DJ43jrCOLdeh4mUL4TTu7oZ5qlwW4rH3pF1pd8ZhVrIDbcU2kQSoYKBQTkuY94MLT5l5ejy%2BMbgsQQTOJljkvOMSWZT9QEuLJXTGlT6SaFMP7K49EGOpcB%2BGnSf%2FAVzssLKnqwibMqfhzRXwn14%2BS31%2BgQdmqlBSLqFnOhuE8oAPknMP3SlLS%2BfaX9lGz7%2B8qREw6IGah6cMf1536nKiE4qjrcjP7T5q0h23PdiO10CURK%2FBWRo1Sh8Shl0qieGAAsHTHGGPL4tr25wWUYIElVp1Qet0CRYc7C7zbNNWt3Dfhy7tgKZ7B2J9Ko7Yir2w%3D%3D&amp;Expires=1782117201\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The backdoor added a Microsoft Defender exclusion to suppress detection and registered a service that loads a malicious file on every system boot. <\/p>\n<p class=\"wp-block-paragraph\">It also set up a persistence loader that fetches fresh payloads from the attackers on every login, letting them silently swap out code without touching the endpoint. <\/p>\n<p class=\"wp-block-paragraph\">Collected data was sent back using a spoofed <a href=\"https:\/\/cybersecuritynews.com\/managing-network-security-risks-for-hybrid-teams\/\" id=\"130586\" target=\"_blank\" rel=\"noreferrer noopener\">legacy browser identity to avoid triggering network-based security alerts<\/a>.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/6cafa9ee-5fbf-4271-9b04-e7c2876456e7\/North-Korean-Hackers-Abuse-Mastra-npm-Supply-Chain-to-Target-Developers-and-CI-CD-Pipelines.pdf?AWSAccessKeyId=ASIA2F3EMEYE7Y6MRWRY&amp;Signature=axlMvCXLm7%2FDxq16vcjEZjTN7HA%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDgaCXVzLWVhc3QtMSJIMEYCIQCGI%2F8HBlC1qGtRYjp9QoF8cFIJUuwvQcC5ixhHLlXYNwIhALkLBDNci6YSwsiPnMjFSr009La%2Fc1xje1tPUdhxlw7EKvMECAEQARoMNjk5NzUzMzA5NzA1Igy3qHn%2Bf5vPCtXSK6Iq0AR4E3VUpicwHLZ4MjHFAx%2FWXp7B0vZ8w9HMs7ff3f8cC%2F6d8B3nRBjuSTNkJOyqRlwExQPmvlBwloNrcyFabwewcQk%2BJDKJ8JKGclQ%2F6mMnApc8lmg5xgGjUF%2BfcLfFimJN716CfTQY5j5AimdABO44Tgxeg7dnXs5hsHpf86hUsBzOuaqh7XqS3lUq42cO57QAhCmYDUzSI3Ae%2ByYs9PVINR5vLjBv3OiYQHB%2Bm4l%2B%2B6AXAvrMn%2BAhIcZ12efxXNl5k3K2iVeCXqtgW5QpGCf3Kll9MZ9ebTIqGs0C5GehEeRr3GcvGzTyM8vOowlhQZ9wj4CImlsDU%2BhUyumS7na9dXbKvFridwsi%2FIlkJtHI7Noakn0%2BLY6UYAiMJF162VCPtfE16kg5Rx3%2BFsuWTYM3wiDMipoZL%2FyZe7FkZHz%2BrXNRtyS5hOyHZf9Kfpjl9%2BhztuLuhHrFZiPmfEp9jJ3J2c1gAcazucGEn%2BUGxtSi8P0d0fsFlKuX49Rmqyb3TRoU4DyMSambvwapHBqTICWJEwyEkAlNUCuFvllAWTs4ns1H73ijTPyJlS%2B6wBZNQEnycoa370ZwoYJxVEXTWSzcyK%2BNAUkZSxyW6sj9%2BQgQ5HV4ETWS%2B1OVMnbruMOiXxpn9%2FUryKR%2FNRiala6qb5btwg4VLZfAHJYOCWn7NLfnJ5DJ43jrCOLdeh4mUL4TTu7oZ5qlwW4rH3pF1pd8ZhVrIDbcU2kQSoYKBQTkuY94MLT5l5ejy%2BMbgsQQTOJljkvOMSWZT9QEuLJXTGlT6SaFMP7K49EGOpcB%2BGnSf%2FAVzssLKnqwibMqfhzRXwn14%2BS31%2BgQdmqlBSLqFnOhuE8oAPknMP3SlLS%2BfaX9lGz7%2B8qREw6IGah6cMf1536nKiE4qjrcjP7T5q0h23PdiO10CURK%2FBWRo1Sh8Shl0qieGAAsHTHGGPL4tr25wWUYIElVp1Qet0CRYc7C7zbNNWt3Dfhy7tgKZ7B2J9Ko7Yir2w%3D%3D&amp;Expires=1782117201\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Microsoft recommends that developers review their dependency trees for any affected Mastra packages and check for easy-day-js in their project files. <\/p>\n<p class=\"wp-block-paragraph\">Running npm install with the \u2013ignore-scripts flag prevents postinstall hooks from running automatically. Teams should also rotate credentials or API keys present on potentially exposed systems and block the attacker-controlled IP addresses at the network perimeter.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/6cafa9ee-5fbf-4271-9b04-e7c2876456e7\/North-Korean-Hackers-Abuse-Mastra-npm-Supply-Chain-to-Target-Developers-and-CI-CD-Pipelines.pdf?AWSAccessKeyId=ASIA2F3EMEYE7Y6MRWRY&amp;Signature=axlMvCXLm7%2FDxq16vcjEZjTN7HA%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDgaCXVzLWVhc3QtMSJIMEYCIQCGI%2F8HBlC1qGtRYjp9QoF8cFIJUuwvQcC5ixhHLlXYNwIhALkLBDNci6YSwsiPnMjFSr009La%2Fc1xje1tPUdhxlw7EKvMECAEQARoMNjk5NzUzMzA5NzA1Igy3qHn%2Bf5vPCtXSK6Iq0AR4E3VUpicwHLZ4MjHFAx%2FWXp7B0vZ8w9HMs7ff3f8cC%2F6d8B3nRBjuSTNkJOyqRlwExQPmvlBwloNrcyFabwewcQk%2BJDKJ8JKGclQ%2F6mMnApc8lmg5xgGjUF%2BfcLfFimJN716CfTQY5j5AimdABO44Tgxeg7dnXs5hsHpf86hUsBzOuaqh7XqS3lUq42cO57QAhCmYDUzSI3Ae%2ByYs9PVINR5vLjBv3OiYQHB%2Bm4l%2B%2B6AXAvrMn%2BAhIcZ12efxXNl5k3K2iVeCXqtgW5QpGCf3Kll9MZ9ebTIqGs0C5GehEeRr3GcvGzTyM8vOowlhQZ9wj4CImlsDU%2BhUyumS7na9dXbKvFridwsi%2FIlkJtHI7Noakn0%2BLY6UYAiMJF162VCPtfE16kg5Rx3%2BFsuWTYM3wiDMipoZL%2FyZe7FkZHz%2BrXNRtyS5hOyHZf9Kfpjl9%2BhztuLuhHrFZiPmfEp9jJ3J2c1gAcazucGEn%2BUGxtSi8P0d0fsFlKuX49Rmqyb3TRoU4DyMSambvwapHBqTICWJEwyEkAlNUCuFvllAWTs4ns1H73ijTPyJlS%2B6wBZNQEnycoa370ZwoYJxVEXTWSzcyK%2BNAUkZSxyW6sj9%2BQgQ5HV4ETWS%2B1OVMnbruMOiXxpn9%2FUryKR%2FNRiala6qb5btwg4VLZfAHJYOCWn7NLfnJ5DJ43jrCOLdeh4mUL4TTu7oZ5qlwW4rH3pF1pd8ZhVrIDbcU2kQSoYKBQTkuY94MLT5l5ejy%2BMbgsQQTOJljkvOMSWZT9QEuLJXTGlT6SaFMP7K49EGOpcB%2BGnSf%2FAVzssLKnqwibMqfhzRXwn14%2BS31%2BgQdmqlBSLqFnOhuE8oAPknMP3SlLS%2BfaX9lGz7%2B8qREw6IGah6cMf1536nKiE4qjrcjP7T5q0h23PdiO10CURK%2FBWRo1Sh8Shl0qieGAAsHTHGGPL4tr25wWUYIElVp1Qet0CRYc7C7zbNNWt3Dfhy7tgKZ7B2J9Ko7Yir2w%3D%3D&amp;Expires=1782117201\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\" id=\"h-indicators-of-compromise-iocs\"><strong>Indicators of Compromise (IoCs):-<\/strong><\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>IP Address<\/td>\n<td>23.254.164.92<\/td>\n<td>Primary C2 server<\/td>\n<\/tr>\n<tr>\n<td>IP Address<\/td>\n<td>23.254.164.123<\/td>\n<td>Secondary C2 address (from deobfuscated strings)<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td>https[:]\/\/23[.]254[.]164[.]92:8000\/update\/49890878<\/td>\n<td>Payload download endpoint<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>teams[.]onweblive[.]org<\/td>\n<td>Post-compromise PowerShell backdoor delivery domain<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td>https[:]\/\/teams[.]onweblive[.]org\/api\/update\/8555575039\/4<\/td>\n<td>Post-compromise PowerShell backdoor download endpoint<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>maskasd[.]com<\/td>\n<td>Post-compromise C2 beacon domain<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td>https[:]\/\/maskasd[.]com\/8555575039<\/td>\n<td>Post-compromise C2 beacon endpoint<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>B122A9873BEDF145AE2A7FD024B5F309007DBB025149F4DC4AC3F7E4F32A36A4<\/td>\n<td>setup.cjs (malicious postinstall dropper)<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>AE70DD4F6BC0D1C8C2848E4E6B51934626C4818DCB5AF99D080DDBD7DC337185<\/td>\n<td>easy-day-js-1.11.22.tgz (weaponized tarball)<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>4A8860240E4231C3A74C81949BE655A28E096A7D72F38FBE84E5B37636B98417<\/td>\n<td>easy-day-js-1.11.21.tgz (clean bait tarball)<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>B73DE25C053C3225A077738A1FCBD9CA6966D7B3CD6F5494A30F0AA0EAE55C7E<\/td>\n<td>mastra-1.13.1.tgz (compromised CLI tarball)<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badf<\/td>\n<td>protocol.cjs<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>50eae63d3e24be9ca8803f4b5a0408aef97ee3fab7af018d8c2dde7c359edd65<\/td>\n<td>Downloader and backdoor PowerShell script<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>1d1bf5e8c1539d2f05b1429235b8f4990f87036774be95157b315a7803dd5526<\/td>\n<td>Second-stage PowerShell script<\/td>\n<\/tr>\n<tr>\n<td>File Artifact<\/td>\n<td>$TMPDIR\/.pkg_history<\/td>\n<td>Contains the install path of the compromised package<\/td>\n<\/tr>\n<tr>\n<td>File Artifact<\/td>\n<td>$TMPDIR\/.pkg_logs<\/td>\n<td>Contains XOR 0x80 encoded string \u201ceasy-day-js\u201d<\/td>\n<\/tr>\n<tr>\n<td>File Artifact<\/td>\n<td>&lt;homedir&gt;\/&lt;random_hex&gt;.js<\/td>\n<td>Downloaded second-stage payload<\/td>\n<\/tr>\n<tr>\n<td>npm Package<\/td>\n<td>easy-day-js<\/td>\n<td>Malicious typosquat of dayjs<\/td>\n<\/tr>\n<tr>\n<td>npm Account<\/td>\n<td>sergey2016<\/td>\n<td>Publisher of easy-day-js<\/td>\n<\/tr>\n<tr>\n<td>npm Account<\/td>\n<td>ehindero<\/td>\n<td>Compromised publisher of 140+ Mastra packages<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>Note:<\/strong>\u00a0<em>IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em><code><em>[.]<\/em><\/code><em>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 90%,rgb(169,184,195) 100%)\"><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong> <strong><strong><a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener\">Google<\/a><\/strong><\/strong>.<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/north-korean-hackers-abuse-mastra-npm-supply-chain\/\">North Korean Hackers Abuse Mastra npm Supply Chain to Target Developers and CI\/CD Pipelines<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/north-korean-hackers-abuse-mastra-npm-supply-chain\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>North Korean Hackers Abuse Mastra npm Supply Chain to Target Developers and CI\/CD Pipelines North Korean hackers have turned a widely used developer tool into a weapon, quietly poisoning more than 140 software packages that developers across the world rely on every day. The campaign is sophisticated, stealthy, and far-reaching, raising urgent questions about the [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-13778","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13778"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13778"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13778\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13778"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13778"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13778"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}