Threat actor: DPRK Sapphire Sleet escalates npm supply-chain attacks with the Mastra compromise

Microsoft attributed the Mastra npm scope compromise — first covered as an unattributed supply-chain event on 2026-06-18 — to Sapphire Sleet (BlueNoroff / UNC1069), making it the actor's second major npm strike of 2026 after the April Axios attack (Microsoft Security, 2026-06-17; BleepingComputer, 2026-06-18; daily 06-21). The operators compromised a maintainer account whose scope access was never revoked and published 140+ malicious @mastra packages within a ~20-minute window, using an easy-day-js typosquat of dayjs to run a postinstall dropper with cross-platform persistence (Registry Run key, macOS LaunchAgent, Linux systemd unit) that exfiltrated browser-wallet extensions, cloud credentials, LLM API keys, CI/CD tokens and SSH keys. The recurrence establishes a clear DPRK pattern of targeting the AI developer toolchain's supply chain specifically — the same surface § 6's first item flags. Run npm install --ignore-scripts in CI, pin lockfile versions, and rotate credentials on any host that pulled @mastra packages in the days before the 17 June disclosure.