NORTH Korean hackers have compromised the Mastra open‑source AI framework by flooding the npm registry with more than 140 tainted packages, putting millions of developers at risk. Microsoft detailed the compromise in a blog post.
The attackers slipped a malicious dependency named easy‑day-js into the compromised packages. During installation its postinstall script disables TLS certificate verification and reaches out to a command‑and‑control server to deliver malware that harvests credentials from cryptocurrency wallet browser extensions.
The malicious versions were published after the threat actors gained control of a legitimate Mastra maintainer account. The affected packages collectively recorded roughly eight million weekly downloads, yet no CVE identifiers have been assigned to the flaw.
Microsoft attributes the intrusion to the North Korean group tracked as STARDUST CHOLLIMA, also known as Sapphire Sleet. Activity was first observed on 22 June 2026, with the malicious packages targeting developer workstations running Windows, macOS or Linux.
The incident underlines how a single compromised maintainer account can turn a widely used open‑source project into a vehicle for large scale theft. It serves as a reminder that trust in public registries must be continuously verified.
Defenders should audit their npm lockfiles for any occurrence of easy‑day‑js and remove the offending versions immediately. They should also rotate any credentials stored in browser‑based crypto wallets and monitor outbound traffic for connections to unknown endpoints. Finally, enforcing strict provenance checks on maintainer accounts can help prevent similar hijacks in the future.