On June 17, 2026, attackers linked to North Korea’s Sapphire Sleet group (also known as BlueNoroff and APT38) stole the npm developer account belonging to the maintainer of Mastra AI, one of the most popular TypeScript AI agent frameworks. In a coordinated 19-minute window, they republished more than 140 packages from the @mastra scope, each wired to pull in a malicious typosquat dependency called “easy-day-js,” according to Tech Insider.
Two days later, Microsoft’s threat-intelligence team attributed the operation to Sapphire Sleet, as reported by BleepingComputer. It was the first documented case of a nation-state running a mass npm supply chain attack targeting an AI agent framework.
What the Payload Did
The malicious “easy-day-js” dependency disabled TLS verification, contacted command-and-control servers, and exfiltrated cryptocurrency wallets, browser passwords, and other high-value secrets from infected machines, according to Tech Insider. The attack exploited npm’s postinstall hook mechanism, which executes arbitrary code the moment a developer runs npm install.
Mastra’s packages carry the kind of trust that makes supply chain attacks devastating: developers install them and wire them directly into applications that hold API keys, cloud credentials, and LLM model access. A single compromised maintainer account gave the attackers a distribution channel into thousands of agent deployments across enterprises.
The 19-Minute Window
The speed of the operation made real-time detection extremely difficult. The attackers republished all 140+ packages within 19 minutes, a pace that suggests automated tooling and pre-staged payloads. By the time most monitoring systems would flag unusual publishing activity, the poisoned packages were already available for download.
The Mastra compromise did not happen in isolation. According to Tech Insider, it was the sixth headline-grade npm poisoning in eleven weeks, following attacks on Bitwarden’s CLI, SAP’s Cloud Application Programming packages, the TanStack ecosystem, the AntV visualization libraries, and Red Hat’s cloud-services namespace. Together, these incidents exposed hundreds of millions of weekly downloads to credential theft.
Agent Frameworks as Nation-State Targets
The attack marks a shift in targeting. Previous npm supply chain attacks hit general-purpose JavaScript packages. Sapphire Sleet specifically chose an AI agent framework, where the downstream applications are more likely to hold high-value secrets: model API keys, cloud infrastructure credentials, and access tokens for automated systems.
For teams running AI agents in production, the implications are concrete. Lock files and checksums provide some protection, but only if they were generated before the compromise. Runtime integrity verification, dependency auditing, and sandboxed agent execution environments are increasingly necessary defenses against a threat model where nation-state actors are willing to invest in rapid, coordinated attacks against the agent framework supply chain.