North Korean Hackers Target Developers via Mastra npm

In a recent cybersecurity incident, North Korean hackers have exploited a popular developer tool, compromising over 140 software packages that are integral to global development processes. This sophisticated attack raises critical concerns regarding the security of open-source supply chains and the safety of developers worldwide.

Targeting the Mastra npm Ecosystem

The attack focused on the Mastra ecosystem within the npm registry, a crucial package manager for JavaScript applications. The attackers obtained access to a legitimate account, injecting malicious code into numerous packages simultaneously. This breach meant that any developer or automated system executing standard installation commands could unknowingly introduce harmful software.

Microsoft analysts discovered the breach through anomalous publishing patterns within the Mastra package. Tracing the attack back to Sapphire Sleet, a North Korean group known for financial and cryptocurrency sector assaults since 2020, they revealed the campaign’s origins.

Execution of the Malicious Campaign

The breach began with the compromise of the ehindero npm maintainer account, which had extensive publishing rights. The attackers then crafted a counterfeit package, easy-day-js, mimicking the widely-used dayjs library. This strategy expanded the attack’s reach by updating all compromised packages to include easy-day-js as a dependency.

The attack employed a two-step delivery method. Initially, a legitimate version of easy-day-js was released, followed by a weaponized version containing a hidden postinstall hook. This hook executed an obfuscated script, bypassing security checks, and connecting to hacker-controlled servers to deploy a second-stage payload.

Implications and Recommendations

The malicious code’s automatic execution upon installation posed significant threats to developer workstations, build servers, and CI/CD pipelines. On Windows systems, the implant also injected code directly into memory, evading many security measures and collecting sensitive data.

To mitigate risks, Microsoft advises developers to scrutinize their dependency trees for affected Mastra packages and to look for easy-day-js in project files. Utilizing the npm install command with the –ignore-scripts flag can prevent automatic execution of postinstall hooks. Additionally, rotating credentials and blocking malicious IP addresses are recommended measures.

This incident underscores the need for heightened vigilance in software supply chain security, particularly as attackers continue to refine their methods. Developers and organizations must adopt robust security practices to safeguard their systems against increasingly sophisticated threats.