From package to postinstall payload: Inside the Mastra npm supply chain compromise by Sapphire Sleet
2026-06-17 • Microsoft •
Sapphire Sleet compromised the Mastra npm ecosystem by taking over the `ehindero` maintainer account and injecting the malicious `easy-day-js` typosquat into more than 140 `mastra` and `@mastra` packages. The weaponized package ran a postinstall dropper that disabled TLS validation, contacted C2 infrastructure, downloaded a cross-platform Node.js tasking client, and established persistence on Windows, macOS, and Linux. On selected Windows hosts, the actor delivered a PowerShell backdoor, performed host and wallet-extension reconnaissance, added Defender exclusions, and installed a SYSTEM-level `scdev` service for boot persistence. Microsoft assesses the activity with high confidence as Sapphire Sleet, a North Korean actor focused on cryptocurrency, blockchain, venture capital, and other financial targets.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 4a8860240e4231c3a74c81949be655a… | 2026-06-17 | 2026-06-18 |
| HASH | c18fd75526533dfc90e91e2fb80effaf | 2026-06-16 | 2026-06-18 |
| URL | https://23.254.164.92:8000/upda… | 2026-06-16 | 2026-06-18 |
| IPv4 | 23.254.164.123 | 2026-06-16 | 2026-06-18 |
| IPv4 | 23.254.164.92 | 2026-06-16 | 2026-06-18 |
| HASH | 1d1bf5e8c1539d2f05b1429235b8f49… | 2026-06-17 | 2026-06-17 |
| HASH | 465a6e816b9e140e3c7cdfb2a4464d6f | 2026-06-17 | 2026-06-17 |
| HASH | b73de25c053c3225a077738a1fcbd9c… | 2026-06-17 | 2026-06-17 |
| HASH | b13415f8c734e0d45aeca083ffcfe153 | 2026-06-17 | 2026-06-17 |
| HASH | f29630beb594dbf25e738165705bb4a5 | 2026-06-17 | 2026-06-17 |
| [email protected] | 2026-06-17 | 2026-06-17 | |
| URL | https://maskasd.com/8555575039 | 2026-06-17 | 2026-06-17 |
| URL | https://teams.onweblive.org/api… | 2026-06-17 | 2026-06-17 |
| DOMAIN | maskasd.com | 2026-06-17 | 2026-06-17 |
| DOMAIN | teams.onweblive.org | 2026-06-17 | 2026-06-17 |
| [email protected] | 2026-06-16 | 2026-06-17 |