I installed a package without checking the dependency tree. Most developers do. That complacency is exactly what North Korean hackers exploited.
On June 17, 2026, attackers compromised the ehindero npm account and injected easy-day-js into 144 Mastra AI packages. Microsoft’s Threat Intelligence team attributed the attack to Sapphire Sleet, a North Korean state-sponsored group. The malicious typosquat of the legitimate dayjs library ran a postinstall script that executed the moment anyone installed or updated an affected package.
The timing was deliberate. On June 16, the attacker published a clean easy-day-js@1.11.21 containing only legitimate dayjs code. Twenty hours later, they pushed 1.11.22 with an obfuscated 4,572-byte dropper. The postinstall hook ran node setup.cjs automatically. The dropper disabled TLS verification, dropped filesystem markers, and contacted attacker command-and-control servers.
On systems where the attackers already held access, the payload escalated further. It delivered a PowerShell backdoor, added persistence, configured Microsoft Defender exclusions, and installed a SYSTEM-context service implant. The attack required no user interaction beyond a single npm install.
Mastra is an AI framework used to build agents, workflows, and retrieval-augmented generation pipelines. The developers using it often handle production data, API keys, and customer environments. By compromising 144 packages at once, the attackers didn’t just hit one team. They hit every project depending on any version in that scope.
The attack chain reveals exactly how npm’s trust model breaks down. The compromised ehindero account held publish rights across the entire Mastra ecosystem. With that access, the attacker mass-poisoned all packages in one sweep. SemVer ranges like ^1.11.21 automatically resolved to the weaponized version.
Microsoft notes Sapphire Sleet previously compromised the axios npm package in April 2026. The pattern repeats: target widely-used JavaScript libraries, use postinstall hooks for silent execution, harvest credentials. The group focuses on the financial sector, according to Microsoft’s assessment.
What should you do if you used any @mastra/* package between June 16 and June 20? First, audit your package-lock.json, yarn.lock, or pnpm-lock.yaml for easy-day-js@1.11.21 or 1.11.22. Second, rotate every secret, API key, and token stored on affected machines or CI/CD runners. Third, scan for unexpected processes or outbound connections from your build environments.
This incident exposes a larger problem. AI development has accelerated open source consumption. Teams adopt frameworks like Mastra without applying the same supply chain scrutiny they’d use for production infrastructure. The dependency tree is only as strong as its weakest maintainer account. Until npm enforces multi-factor authentication, hardware keys, or signed packages by default, these attacks will keep working.
Practical steps right now: lock your dependency versions, review every new entry in lock files before building, and enable audit tools like npm audit or Socket.dev in your CI pipeline. If you maintain popular packages, require hardware security keys for publishing. These measures take minutes to implement and hours to regret ignoring.
A single compromised maintainer account with publish rights to 144 packages is all it takes to turn every downstream build into an attack surface. If your CI pipeline runs npm install against the internet without verification, you are trusting strangers with your keys.