News and Analysis

North Korean hackers have turned a widely used developer tool into a weapon, quietly poisoning more than 140 software packages that developers across the world rely on every day.

The campaign is sophisticated, stealthy, and far-reaching, raising urgent questions about the safety of the open-source supply chain.

The attack targeted the Mastra ecosystem on the npm registry, a package manager used by millions of developers to build JavaScript applications.

The threat actor gained access to a legitimate account and pushed malicious code into over 140 packages at once, meaning any developer or automated build system that ran a standard install command was potentially exposed without any warning.

Analysts at Microsoft said in a report shared with Cyber Security News (CSN) that they identified the compromise through unusual publishing patterns on the Mastra package.

The team traced the intrusion back to Sapphire Sleet, a North Korean state-sponsored group known for targeting the finance and cryptocurrency sectors since at least March 2020.

The attack began with the takeover of the ehindero npm maintainer account, which held publish rights across the entire Mastra package scope.

The attacker then introduced a fake package called easy-day-js, built to impersonate the popular dayjs library that sees over 57 million downloads each week.

From there, every compromised Mastra package was updated to pull in easy-day-js as a new dependency, expanding the attack’s reach instantly.

End-to-end attack chain (Source – Microsoft)

What made this especially dangerous is that the malicious code ran automatically the moment a developer installed any affected package, even if they never directly used it in their own application code.

That single design choice put developer workstations, build servers, and automated CI/CD pipelines all at risk at the same time.

North Korean Hackers Abuse Mastra npm Supply Chain

The attack followed a clever two-phase delivery strategy. First, a clean version of easy-day-js was published to establish the package as legitimate on the registry.

The next day, a weaponized version was released that added a hidden postinstall hook, a script that fires automatically whenever the package is installed.

That hook executed an obfuscated dropper script, bypassed standard security certificate checks, and reached out to attacker-controlled servers to fetch a second-stage payload.

The payload was then launched as a silent background process, making it hard to spot during a normal development session. The second-stage implant was a fully featured tasking client capable of running arbitrary commands sent by the attackers at any time.

The obfuscated setup.cjs dropper (Source – Microsoft)

On Windows systems, the implant went further by injecting code directly into memory without writing files to disk, a technique that helps it evade many traditional security tools.

It collected installed applications, browser extensions tied to cryptocurrency wallets, and browsing history before sending everything back to the attackers.

Sapphire Sleet then delivered a separate PowerShell backdoor on high-value targets, granting persistent and elevated access to compromised machines.

Persistence, Exfiltration, and Defense Evasion

Once inside a system, the implant made itself hard to remove by installing persistence across all three major operating systems.

On Windows it used a registry Run key, on macOS a LaunchAgent, and on Linux a systemd service, all disguised under names that mimic legitimate Node.js tools to blend into a developer’s normal environment.

The backdoor added a Microsoft Defender exclusion to suppress detection and registered a service that loads a malicious file on every system boot.

It also set up a persistence loader that fetches fresh payloads from the attackers on every login, letting them silently swap out code without touching the endpoint.

Collected data was sent back using a spoofed legacy browser identity to avoid triggering network-based security alerts.

Microsoft recommends that developers review their dependency trees for any affected Mastra packages and check for easy-day-js in their project files.

Running npm install with the –ignore-scripts flag prevents postinstall hooks from running automatically. Teams should also rotate credentials or API keys present on potentially exposed systems and block the attacker-controlled IP addresses at the network perimeter.

Indicators of Compromise (IoCs):-

TypeIndicatorDescriptionIP Address23.254.164.92Primary C2 serverIP Address23.254.164.123Secondary C2 address (from deobfuscated strings)URLhttps[:]//23[.]254[.]164[.]92:8000/update/49890878Payload download endpointDomainteams[.]onweblive[.]orgPost-compromise PowerShell backdoor delivery domainURLhttps[:]//teams[.]onweblive[.]org/api/update/8555575039/4Post-compromise PowerShell backdoor download endpointDomainmaskasd[.]comPost-compromise C2 beacon domainURLhttps[:]//maskasd[.]com/8555575039Post-compromise C2 beacon endpointSHA-256B122A9873BEDF145AE2A7FD024B5F309007DBB025149F4DC4AC3F7E4F32A36A4setup.cjs (malicious postinstall dropper)SHA-256AE70DD4F6BC0D1C8C2848E4E6B51934626C4818DCB5AF99D080DDBD7DC337185easy-day-js-1.11.22.tgz (weaponized tarball)SHA-2564A8860240E4231C3A74C81949BE655A28E096A7D72F38FBE84E5B37636B98417easy-day-js-1.11.21.tgz (clean bait tarball)SHA-256B73DE25C053C3225A077738A1FCBD9CA6966D7B3CD6F5494A30F0AA0EAE55C7Emastra-1.13.1.tgz (compromised CLI tarball)SHA-256221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badfprotocol.cjsSHA-25650eae63d3e24be9ca8803f4b5a0408aef97ee3fab7af018d8c2dde7c359edd65Downloader and backdoor PowerShell scriptSHA-2561d1bf5e8c1539d2f05b1429235b8f4990f87036774be95157b315a7803dd5526Second-stage PowerShell scriptFile Artifact$TMPDIR/.pkg_historyContains the install path of the compromised packageFile Artifact$TMPDIR/.pkg_logsContains XOR 0x80 encoded string “easy-day-js”File Artifact<homedir>/<random_hex>.jsDownloaded second-stage payloadnpm Packageeasy-day-jsMalicious typosquat of dayjsnpm Accountsergey2016Publisher of easy-day-jsnpm AccountehinderoCompromised publisher of 140+ Mastra packages

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post North Korean Hackers Abuse Mastra npm Supply Chain to Target Developers and CI/CD Pipelines appeared first on Cyber Security News.