Agents
North Korea's Sapphire Sleet backdoors 144 Mastra agent-framework npm packages in 88 minutes
On June 17, 2026 an attacker compromised the @mastra npm organization via a former contributor's still-active scope access and added 'easy-day-js' — a typosquat of dayjs — as a dependency across 140+ packages, mass-publishing 144 malicious versions inside an 88-minute window. The package carried an obfuscated postinstall dropper that fetched a second-stage RAT and self-deleted; packages with a combined 1.1M+ weekly downloads were exposed. Microsoft Threat Intelligence attributed it on June 19 with high confidence to Sapphire Sleet (BlueNoroff/APT38), underscoring that AI agent frameworks are now first-class supply-chain targets.
Source
↳ Follow the thread