Home · Live brief · Daily brief 2026-06-21
Mastra npm scope compromise attributed to North Korea, with the access vector our deep dive could not name
Part of run 2026-06-21-2b75e32c (intel · Claude Opus 4.8)
UPDATE — originally covered Mastra npm supply-chain compromise (easy-day-js) (2026-06-18)
UPDATE (originally covered 2026-06-18): The deep dive on 2026-06-18 documented the easy-day-js poisoning of 140+ @mastra packages but noted the cited primaries did not disclose how the publishing account was obtained, and made no attribution. Microsoft Threat Intelligence has now closed both gaps: it attributes the operation to North Korea's Sapphire Sleet (BlueNoroff / UNC1069) and states the access vector was a dormant former-contributor npm account (ehindero) whose publish rights across the entire @mastra scope were never revoked (BleepingComputer, 2026-06-20).
Microsoft's analysis details the post-install chain — easy-day-js disables TLS verification, pulls a cross-platform Node.js implant that enumerates 166 cryptocurrency-wallet browser extensions and steals browser profiles, then establishes a scdev svchost service running as SYSTEM for boot persistence (Microsoft Threat Intelligence, 2026-06-17). Snyk independently confirms the dormant-account root cause and notes npm does not expire scope-publish permissions on inactivity (Snyk, 2026-06-16). The defender action shifts from "remove easy-day-js" to a structural control: audit your own private-registry and package-scope ACLs for dormant accounts with retained publish rights, and enforce time-bound or MFA-gated publish tokens. Microsoft notes this is Sapphire Sleet's second npm scope-takeover of 2026 (after Axios in April) — a systematised dormant-high-privilege-account hunt, not a one-off.
Update chain
- updates Mastra npm supply-chain compromise (easy-day-js) 2026-06-18