The AI Framework That Turned Into a Crypto Stealer
- Javier Conejo del Cerro
- hace 1 día
- 3 min de lectura
A software supply chain attack has compromised one of the most prominent open-source AI development ecosystems. Attackers hijacked a legitimate Mastra maintainer account and weaponized more than 145 npm packages by introducing a malicious dependency called easy-day-js. The campaign demonstrates how a single compromised contributor can transform a trusted framework into a large-scale malware delivery platform capable of infecting developers, cloud environments, CI/CD pipelines, and AI infrastructure worldwide.
Phase 1: Compromising Trust
The operation began with the compromise of a legitimate Mastra contributor account. Rather than modifying the framework’s source code directly, the attackers abused the contributor’s publishing privileges to inject a seemingly harmless dependency into over 145 packages.
This approach allowed the threat actors to leverage the trust already established by the Mastra ecosystem. Since the packages themselves appeared legitimate, developers installing updates had little reason to suspect malicious activity.
Phase 2: The Weaponized Dependency
The malicious component, easy-day-js, was particularly deceptive. It initially appeared as a clean clone of the popular dayjs library, providing legitimate functionality and avoiding suspicion.
Only later was a malicious version published, transforming the package into a delivery mechanism for malware. This “clean-then-armed” strategy closely mirrors previous supply chain attacks attributed to North Korean threat actors and significantly increases the likelihood of successful compromise.
Phase 3: Installation-Time Compromise
Once a victim installed an affected package, a hidden postinstall script automatically executed.
The script disabled TLS certificate validation, contacted attacker-controlled infrastructure, downloaded a second-stage payload, and launched it as a detached background process. To reduce forensic evidence, the loader deleted itself shortly after execution.
Because the malware activated during installation, victims could be compromised before ever using or importing the affected package.
Phase 4: Credential and Wallet Theft
The final payload functioned as a sophisticated information stealer targeting high-value development environments.
The malware harvested browser histories, credentials, cloud-related information, cryptocurrency wallet data, and information from more than 160 browser-based wallet extensions. It also established persistence across Windows, Linux, and macOS systems while maintaining communication with command-and-control servers.
The threat was particularly severe because Mastra is commonly deployed in environments that store sensitive development secrets, cloud credentials, API keys, and blockchain-related assets.
Phase 5: Expanding Access
Beyond credential theft, the malware supported remote command execution and modular payload delivery.
Attackers could instruct infected systems to download and execute additional modules, potentially transforming a simple package installation into a full compromise of developer workstations, CI/CD runners, cloud infrastructure, and AI development environments.
This capability significantly increased the potential impact and allowed the campaign to evolve after initial infection.
Who Was Affected?
The primary victims were developers and organizations using Mastra packages within AI development workflows.
Because packages such as @mastra/core receive hundreds of thousands of weekly downloads, the potential blast radius was substantial. Any workstation, build server, cloud environment, or CI/CD pipeline that installed the affected versions should be considered potentially compromised.
The nature of the targeted ecosystem also made cryptocurrency assets particularly attractive targets, explaining Microsoft’s attribution of the campaign to Sapphire Sleet, a North Korean threat group known for financially motivated operations targeting cryptocurrency platforms and blockchain technologies.
Measures to Defend Against the Attack
Immediately upgrade to clean Mastra package versions.
Treat all systems that installed affected releases as potentially compromised.
Rotate credentials, API keys, tokens, certificates, and cloud secrets.
Review CI/CD environments for unusual activity.
Audit browser extensions and cryptocurrency wallets for unauthorized access.
Verify package provenance and SLSA attestations before deployment.
Enforce MFA without token bypass exceptions.
Monitor dependency changes and supply chain activity.
Restrict installation privileges within development environments.
Investigate outbound connections to suspicious infrastructure.
Conclusion
The Mastra compromise highlights how modern supply chain attacks increasingly target trust rather than software vulnerabilities. By abusing a legitimate contributor account and introducing a malicious transitive dependency, the attackers transformed routine software updates into a large-scale infection mechanism.
The campaign also reinforces a growing trend observed across recent attacks against Axios, npm, PyPI, and other open-source ecosystems: threat actors are focusing on developer workflows, cloud environments, and cryptocurrency-related infrastructure where the rewards are highest. As software ecosystems become more interconnected, protecting the integrity of dependencies and enforcing provenance validation is becoming just as important as patching traditional vulnerabilities.
The Hacker News
Comentarios