North Korean state-sponsored hackers have executed a sophisticated supply chain attack by compromising the Mastra ecosystem within the npm registry, a widely used package manager for JavaScript applications. This breach involved injecting malicious code into over 140 packages, posing significant risks to developers and continuous integration/continuous deployment (CI/CD) pipelines globally.
The attackers gained access to the ‘ehindero’ npm maintainer account, which had publishing rights across the entire Mastra package scope. They introduced a counterfeit package named ‘easy-day-js,’ designed to mimic the popular ‘dayjs’ library, which boasts over 57 million weekly downloads. Subsequently, all compromised Mastra packages were updated to include ‘easy-day-js’ as a dependency, thereby expanding the attack’s reach.
Upon installation of any affected package, the malicious code executed automatically, even if developers did not directly utilize it in their applications. This design flaw exposed developer workstations, build servers, and automated CI/CD pipelines to potential threats.
The attack unfolded in two phases. Initially, a clean version of ‘easy-day-js’ was published to establish legitimacy. The following day, a weaponized version was released, incorporating a concealed post-installation script. This script executed an obfuscated dropper, bypassed standard security certificate checks, and contacted attacker-controlled servers to retrieve a second-stage payload. This payload operated silently in the background, making detection challenging during routine development activities.
On Windows systems, the implant employed advanced techniques such as in-memory code injection to evade traditional security measures. It collected data on installed applications, browser extensions related to cryptocurrency wallets, and browsing history, transmitting this information back to the attackers. The group, identified as Sapphire Sleet, has been active since at least March 2020, primarily targeting the finance and cryptocurrency sectors.
This incident underscores the critical need for developers and organizations to exercise heightened vigilance when integrating third-party packages into their projects. Regular audits of dependencies, monitoring for unusual publishing patterns, and implementing robust security protocols are essential to mitigate the risks associated with supply chain attacks.
