**Microsoft** has formally attributed the recent **Mastra AI** supply chain attack, which compromised more than 140 npm packages, to the North Korean hacking group **Sapphire Sleet**, also known as **BlueNoroff**. This confirmation follows **Microsoft**'s initial disclosure earlier this week regarding attackers hijacking an npm maintainer account to publish malicious package updates. "**Microsoft** assesses with high confidence that this activity is attributable to **Sapphire Sleet**, a North Korean state actor that primarily targets the financial sector," the company stated in a June 19 update. The attack unfolded when threat actors compromised the npm maintainer account "ehindero," which held publishing privileges across the **Mastra** package environment. Utilizing this access, the attackers published malicious updates for over 140 packages within the `@mastra` scope, injecting a malicious dependency named "easy-day-js." This dependency is a typosquat of the legitimate and widely used **dayjs** JavaScript library. Upon installation of the compromised packages, the malicious dependency executed a post-install hook. This deployed a malware dropper on developers' devices, with the ultimate goal of stealing sensitive credentials, API keys, authentication tokens, and cryptocurrency wallets. "Once installed, *easy-day-js* triggered a postinstall hook that executed an obfuscated dropper script, disabled Transport Layer Security (TLS) certificate verification, contacted attacker-controlled command-and-control (C2) infrastructure, downloaded a second-stage payload, and executed the payload as a detached hidden process," **Microsoft** explained. ## Cross-Platform Malware Targets Crypto Wallets The downloaded second-stage payload was a sophisticated cross-platform information stealer, designed to target **Windows**, **Linux**, and **macOS** systems. The implant collected host information, browser histories, installed applications, and running processes. Crucially, it checked for the presence of 166 cryptocurrency wallet browser extensions, including popular ones like **MetaMask**, **Phantom**, **Coinbase Wallet**, **Binance Wallet**, and **TronLink**. The malware also employed distinct persistence methods tailored to each operating system, leveraging **Windows Registry Run** keys, **macOS LaunchAgents**, and **Linux systemd** services.  **Microsoft** reported that systems communicating with the attackers' command-and-control servers exhibited follow-on activity consistent with previous **Sapphire Sleet** tactics. This included the deployment of a **PowerShell** backdoor previously utilized by the group, additional persistence mechanisms, **Microsoft Defender** exclusions, and a malicious **Windows** service granting **SYSTEM** privileges. "The **PowerShell** backdoor, tradecraft, and C2 infrastructure have been used by **Sapphire Sleet** in other, prior campaigns," **Microsoft** elaborated. **Sapphire Sleet** is a well-known North Korean state-sponsored threat actor, notorious for cryptocurrency theft campaigns, malicious browser extensions, fake job offers, and software supply chain compromises aimed at stealing credentials and cryptocurrency assets. **Microsoft** also stated that the group was responsible for a separate npm supply chain attack on the **Axios** HTTP client in April 2026.