North Korean Sapphire Sleet Compromises 140+ Mastra AI npm Packages

Microsoft threat researchers have identified a sophisticated Supply Chain Attack targeting the Mastra AI framework, an open-source toolset for building AI agents. This campaign has been attributed to Sapphire Sleet, a North Korean APT group also known as BlueNoroff. According to Bleeping Computer, the threat actors successfully compromised more than 140 npm packages, using them as a delivery mechanism for malicious payloads aimed at developers and cryptocurrency-related targets.

Analyzing the Sapphire Sleet Mastra AI Supply Chain Attack

The operation began with highly targeted social engineering campaigns conducted on professional networking platforms. Sapphire Sleet operators frequently pose as recruiters, technical leads, or collaborative developers to establish rapport with their targets. This specific campaign highlights the effectiveness of BlueNoroff social engineering on LinkedIn, where the actors lured developers into downloading or contributing to repositories that appeared legitimate but contained malicious code.

Once the actors gained a foothold within the Mastra AI development environment, they leveraged their access to inject malicious scripts into various npm packages. These packages, when pulled into a developer’s local environment or integrated into a CI/CD pipeline, would execute unauthorized code. This TTP allows the attackers to bypass traditional perimeter defenses by piggybacking on trusted development tools and open-source ecosystems. The ultimate objective appears to be the exfiltration of sensitive data, specifically targeting credentials, environment variables, and cryptocurrency wallet seeds.

Technical Execution and Impact

Unlike broad-spectrum Phishing campaigns, Sapphire Sleet’s approach is surgical. By compromising the Mastra AI framework, the group targets the burgeoning field of AI development, which often involves high-value intellectual property and access to sensitive cloud infrastructure. The malicious npm packages were designed to remain dormant until specific conditions were met, making detection difficult for standard EDR solutions that focus on signature-based identification.

Upon execution, the malicious code typically attempts to establish a C2 connection to download secondary payloads. These payloads are often designed for Privilege Escalation and Lateral Movement within the victim’s network. Microsoft’s analysis indicates that the group utilized several IoC markers consistent with previous BlueNoroff activity, including specific domain registration patterns and obfuscation techniques identified in the MITRE ATT&CK framework.

Recommendations for Defenders

To mitigate the risks associated with this campaign, organizations must move beyond simple dependency management. Security teams should implement automated scanning to understand how to detect malicious npm packages in CI/CD pipelines before they are merged into production branches. This includes verifying the integrity of the package-lock.json files and using tools that perform behavioral analysis on third-party scripts.

1. Audit Dependency Trees: Conduct a thorough review of all npm dependencies, specifically looking for packages associated with the Mastra AI framework or any package added within the last 30 days.
2. Rotate Credentials: If any developer in your organization has interacted with the compromised Mastra AI packages, assume all local environment variables and saved credentials (SSH keys, AWS tokens, etc.) are compromised and rotate them immediately.
3. Enforce Code Signing: Implement strict code-signing requirements for all internal and external packages used in the build process.
4. Network Monitoring: Monitor for unusual outbound traffic to unknown domains from developer workstations, as this may indicate C2 communication.

By adopting a Zero Trust approach to third-party code, organizations can better protect their development environments from nation-state actors who increasingly view the software supply chain as the path of least resistance.