In a recent development, Microsoft has identified the North Korean hacking group Sapphire Sleet, also known as BlueNoroff, as the perpetrators behind a supply chain attack that targeted more than 140 npm packages. This revelation comes after Microsoft disclosed that attackers compromised an npm maintainer account to publish malicious package updates earlier this week.
Microsoft’s June 19 update confidently attributes the activity to Sapphire Sleet, a North Korean state actor that primarily focuses on targeting the financial sector.
The attack originated when threat actors compromised the npm maintainer account “ehindero,” which had publishing privileges across the Mastra package environment. Using this account, the attackers injected malicious updates into more than 140 packages in the @mastra scope, introducing a malicious dependency named “easy-day-js” as a typosquat of the legitimate dayjs JavaScript library.
Upon installation of the compromised packages, the malicious dependency executed a post-install hook that deployed a malware dropper on developers’ devices. The goal of this malware was to steal sensitive credentials, API keys, authentication tokens, and cryptocurrency wallets.
Microsoft explains that the “easy-day-js” dependency triggered a post-install hook, executing an obfuscated dropper script. This script disabled Transport Layer Security (TLS) certificate verification, connected to attacker-controlled command-and-control infrastructure, downloaded a second-stage payload, and ran the payload as a hidden process.
The second-stage payload was a cross-platform information stealer designed to target Windows, Linux, and macOS systems. It collected host information, browser histories, installed applications, and running processes. Additionally, it checked for the presence of 166 cryptocurrency wallet browser extensions, including MetaMask, Phantom, Coinbase Wallet, Binance Wallet, and TronLink.
The malware implemented various persistence methods based on the operating system, such as Windows Registry Run keys, macOS LaunchAgents, and Linux systemd services.
Systems communicating with the attackers’ command-and-control servers exhibited follow-on activity aligned with tactics previously associated with Sapphire Sleet. This included deploying a PowerShell backdoor, additional persistence mechanisms, Microsoft Defender exclusions, and a malicious Windows service granting SYSTEM privileges.
Microsoft noted that Sapphire Sleet is a North Korean state-sponsored threat actor known for cryptocurrency theft campaigns, malicious browser extensions, fake job offers, and software supply chain compromises aimed at stealing credentials and cryptocurrency assets. The group was also responsible for a previous npm supply chain attack on the Axios HTTP client in April 2026.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper demonstrates how breach and attack simulation tests your SIEM and EDR rules to prevent threats from evading detection.
Get the whitepaper
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
