UPDATE: Mastra npm scope compromise attributed to North Korea, with the access vector our deep dive could not name

UPDATE (originally covered 2026-06-18): The deep dive on 2026-06-18 documented the easy-day-js poisoning of 140+ @mastra packages but noted the cited primaries did not disclose how the publishing account was obtained, and made no attribution. Microsoft Threat Intelligence has now closed both gaps: it attributes the operation to North Korea's Sapphire Sleet (BlueNoroff / UNC1069) and states the access vector was a dormant former-contributor npm account (ehindero) whose publish rights across the entire @mastra scope were never revoked (BleepingComputer, 2026-06-20).

Microsoft's analysis details the post-install chain — easy-day-js disables TLS verification, pulls a cross-platform Node.js implant that enumerates 166 cryptocurrency-wallet browser extensions and steals browser profiles, then establishes a scdev svchost service running as SYSTEM for boot persistence (Microsoft Threat Intelligence, 2026-06-17). Snyk independently confirms the dormant-account root cause and notes npm does not expire scope-publish permissions on inactivity (Snyk, 2026-06-16). The defender action shifts from "remove easy-day-js" to a structural control: audit your own private-registry and package-scope ACLs for dormant accounts with retained publish rights, and enforce time-bound or MFA-gated publish tokens. Microsoft notes this is Sapphire Sleet's second npm scope-takeover of 2026 (after Axios in April) — a systematised dormant-high-privilege-account hunt, not a one-off.