Dispatch
Microsoft Attributes the 144-Package @mastra npm Worm to North Korea's Sapphire Sleet — Malware Poisons Claude Code, Cursor and Gemini IDE Configs
New detail on the 88-minute @mastra supply-chain attack: Microsoft Threat Intelligence has attributed it with high confidence to Sapphire Sleet (BlueNoroff/APT38), the same North Korean actor behind the earlier Axios HTTP-client compromise. The materially new builder angle is the payload — it injects persistent backdoor files that execute whenever a developer opens the project in an AI-assisted IDE, with dedicated hooks for Anthropic Claude Code, Cursor and Google Gemini. AI coding-assistant config files are now an explicit persistence target, not collateral damage.
Source
↳ Follow the thread