2026-06-16
CriticalMedia reportAttacker hijacked a forgotten Mastra contributor account with npm publish access. Over 88 minutes, republished 142 packages injecting easy-day-js RAT (typosquat of dayjs). Clean in v1 to build trust, second-stage RAT in later version. 1.1M weekly downloads. Sapphire Sleet (North Korean APT BlueNoroff) attribution.
What happened
Sapphire Sleet hijacked a forgotten contributor account with @mastra npm scope publish access. Over 88 minutes, 142 packages were republished with the easy-day-js RAT injected. Clean v1 built false trust before RAT payload was revealed in later versions.
Why it matters
142 Mastra AI framework packages compromised. 1.1M weekly downloads potentially exposed to easy-day-js RAT. AI developers building with Mastra received trojanized packages. RAT payload enabled persistent access to developer machines. Sapphire Sleet targeting pattern: cryptocurrency theft from developer environments.
Missing authorization check
npm scope publish access must be reviewed periodically and revoked for contributors who are no longer active. Multi-person authorization should be required for publishing new versions of high-impact packages (1M+ weekly downloads).
Would PP block it?
If the RAT's consequential actions (credential reads, network exfiltration, persistence installation) required PP receipts, the North Korean APT's toolkit would face authorization gates before accessing developer credentials or cryptocurrency wallets.
Incident analysis
2026-06-16
Sapphire Sleet begins hijacking forgotten @mastra contributor account. Republishing campaign starts: 142 packages republished over 88 minutes with easy-day-js RAT injected.
2026-06-16
First republished versions appear clean (trust-building). Later versions contain second-stage easy-day-js RAT payload.
2026-06-17
Campaign detected. Compromised packages taken down from npm. Sapphire Sleet (BlueNoroff) attribution confirmed by threat intelligence vendors.
Authorization boundary
This incident is categorized as Credential exposure. The relevant Permission Protocol gate is Deploy Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.
PP's Deploy Gate would require receipts for consequential actions the RAT attempts on developer machines. It would not prevent installation of the compromised packages — that requires supply chain controls (contributor access reviews, package signing).
Related incidents and controls
Clinejection: Cline CLI 2.3.0 npm Supply Chain Attack Silently Installed OpenClaw on ~4,000 Developer Machines via Prompt Injection and GitHub Actions Cache Poisoning
TrapDoor Cross-Ecosystem Supply Chain: 34 Packages Planted Hidden AI Instructions in CLAUDE.md and .cursorrules to Poison Coding Assistants on Developer Machines
Start small
This incident maps to Deploy Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.