North Korean state-sponsored hackers, identified as Sapphire Sleet, have been implicated in a significant attack on the Mastra open source framework, targeting over 140 NPM packages last week. According to Microsoft, the breach compromised software components used extensively by developers.
Understanding the Mastra Framework
Mastra serves as a TypeScript framework facilitating AI agents, workflows, and RAG pipelines. It integrates with leading large language model providers, MCP servers, and cloud services, making it a crucial tool for developers.
The attack unfolded on June 17, when the hackers released 141 packages, each containing a malicious dependency named easy-day-js, which mimicked the legitimate dayjs date library. This tactic, known as typosquatting, was used to deceive developers and infiltrate systems.
The Impact of the Attack
These affected packages boast around 8 million downloads weekly, significantly increasing the potential reach of the malicious code. Developers who installed any Mastra packages on June 17 are urged to check their systems for vulnerabilities.
The attackers initially took control of the ‘ehindero’ NPM maintainer account, which allowed them to inject the malicious dependency across the Mastra ecosystem. Prior to this, they had released a clean version of easy-day-js from another account, ‘sergey2016’, a day before the account takeover.
Technical Details and Mitigation Measures
The compromised packages included an obfuscated postinstall script that would retrieve a secondary payload from the attackers’ servers, executing it discreetly on targeted systems. This attack affected Windows, macOS, and Linux, masquerading as node-related tools while collecting system data and targeting cryptocurrency browser extensions.
Microsoft attributes this attack to Sapphire Sleet, a financially motivated group also known as BlueNoroff or CageyChameleon, previously linked to similar attacks such as the Axios breach. Developers are advised to remove affected package versions, sweep their systems for malware, and enhance security around their crypto-assets.
Cybersecurity entities like Aikido, Ox, Socket, and others have published insights into this breach, offering guidance on identifying and mitigating the threat. As the software industry grapples with these challenges, understanding and addressing vulnerabilities remains paramount.
