North Korean hackers infiltrated software used to build AI apps, Microsoft says
The recent supply chain attack on Mastra npm packages has been attributed to a financially motivated North Korean hacking group called Sapphire Sleet.
-
Microsoft says the Mastra npm supply chain attack was carried out by the North Korean hacking group Sapphire Sleet.
-
Attackers compromised a trusted contributor account and used it to distribute malicious updates across 141 software packages.
-
The malware searched developers' devices for cryptocurrency wallet data, browser extensions and login credentials.
-
Sapphire Sleet is a financially motivated North Korean group known for targeting cryptocurrency, blockchain and financial organizations.
Last week, several cybersecurity firms analyzed a supply chain attack on Mastra npm packages, which are used as building blocks for developers who create AI applications using the Mastra framework.
It all began when an attacker took control of the account of Mastra contributor “ehindero,” who has publishing privileges across the Mastra package environment. His account was used to update 141 npm packages with malicious software.
The malware was designed to search developers’ computers for sensitive information, such as cryptocurrency wallet data, browser extensions, and files containing login credentials.
Because the updates were distributed via a trusted account, no one thought of reviewing them, causing the malware to spread quickly.
Cybersecurity firms recommended that developers downgrade to older versions of the packages to protect their devices.
It was never disclosed who was responsible for the supply chain attack. However, in a recent update, Microsoft says that Sapphire Sleet was behind it.
“The infrastructure and post-compromise TTPs [tactics, techniques, and procedures, ed.] observed in this campaign are consistent with previously documented Sapphire Sleet activity. Sapphire Sleet also conducted a separate npm supply chain compromise affecting Axios, a popular JavaScript HTTP client, in April 2026,” Microsoft explains.
Sapphire Sleet is a North Korean hacking group that has been active since March 2020. The gang primarily focuses on the finance sector, including cryptocurrency, venture capital, and blockchain organizations.
Check if your data has been leaked
The group is particularly interested in financial institutions in the United States, but also in countries in Asia and the Middle East. Its primary goal is to steal money to generate revenue for the authoritarian regime of North Korea, and intellectual property related to cryptocurrency trading and blockchain platforms.
According to Microsoft, Sapphire Sleet actively approaches victims via social networking sites like LinkedIn to trick them into downloading malicious files. The gang also uses fake websites that look like those of banks, cryptocurrency services, and video conferencing platforms to make their scam appear legitimate.
Sapphire Sleet is also known by different monikers, including UNC1069, STARDUST CHOLLIMA, Alluring Pisces, BlueNoroff, CageyChameleon, and CryptoCore.
Unlock more exclusive Cybernews content on YouTube.
