Date: May 12, 2026
Author: Senior Security Consultant, Security Arsenal
Introduction
Microsoft has officially attributed the recent supply chain attack targeting Mastra AI to the North Korean threat group Sapphire Sleet (also known as BlueNoroff). This campaign is significant not just for its geopolitical origins, but for its scale: over 140 malicious npm packages were identified in the wild.
For defenders, this is a critical wake-up call. The attack vector targets the heart of modern development pipelines—the open-source software registry. When a trusted repository is weaponized, traditional perimeter defenses fail. We need immediate visibility into build environments and runtime execution to stop data exfiltration.
Technical Analysis
- Affected Products/Platforms: Node.js environments (npm registry), impacting Windows, Linux, and macOS development workstations and CI/CD pipelines.
- Threat Actor: Sapphire Sleet (North Korea). This group has a history of financially motivated attacks, often targeting the cryptocurrency sector, but has shifted tactics toward broad supply chain compromise to maximize ROI.
- Attack Chain:
- Initial Compromise: Threat actors likely compromised maintainer credentials or infrastructure associated with Mastra AI.
- Package Injection: Malicious packages were published to npm. These often employ typosquatting (mimicking popular library names) or version confusion.
- Execution: Upon installation (
npm install), malicious scripts defined inpackage.(e.g.,preinstall,postinstall) trigger automatically. - Payload: The scripts typically deploy infostealers designed to harvest system information, environment variables (
.env), and cryptocurrency wallet keys.
- CVE Identifier: None. This is a supply chain integrity issue rather than a specific software vulnerability (CVE).
- Exploitation Status: Confirmed Active. Microsoft and researchers have observed these packages being downloaded and executed.
Detection & Response
Defending against supply chain attacks requires monitoring for anomalous process lineage and network behavior emanating from package managers. The following rules hunt for npm or node processes spawning unauthorized shells or reaching out to suspicious endpoints.
Sigma Rules
YAML
---
title: NPM Process Spawning Windows Shell
id: 8c2f9a1b-5e4d-4a3c-9b1a-2d3e4f5a6b7c
status: experimental
description: Detects npm or node processes spawning cmd.exe or powershell.exe, a common tactic in malicious npm packages to execute post-install scripts.
references:
- https://www.microsoft.com/security/blog/
author: Security Arsenal
date: 2026/05/12
tags:
- attack.execution
- attack.t1059.001
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\node.exe'
- '\npm.cmd'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: selection
falsepositives:
- Legitimate build scripts intentionally triggering system shells
level: high
---
title: NPM Process Spawning Unix Shell
id: 9d3e0b2c-6f5e-4b4d-0c2b-3e4f5a6b7c8d
status: experimental
description: Detects npm or node processes spawning sh, bash, or zsh on Unix/Linux systems, indicative of malicious package behavior.
references:
- https://www.microsoft.com/security/blog/
author: Security Arsenal
date: 2026/05/12
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith:
- '/node'
- '/npm'
Image|endswith:
- '/sh'
- '/bash'
- '/zsh'
condition: selection
falsepositives:
- Legitimate developer build scripts
level: high
---
title: Node.js Outbound Network Connection to Non-Standard Ports
id: 1e4f2c3d-7g6h-5i5j-9k4l-0m5n6o7p8q9r
status: experimental
description: Detects node.exe initiating network connections to non-HTTP/HTTPS ports, often associated with C2 beacons or exfiltration.
references:
- https://attack.mitre.org/techniques/T1071/
author: Security Arsenal
date: 2026/05/12
tags:
- attack.command_and_control
- attack.t1071
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith:
- '\node.exe'
DestinationPort|not:
- 80
- 443
- 8080
condition: selection
falsepositives:
- Node.js applications running custom backend services (WebSocket, etc.)
level: medium
KQL (Microsoft Sentinel / Defender)
KQL — Microsoft Sentinel / Defender
// Hunt for npm install processes spawning suspicious child processes
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ('node.exe', 'npm.cmd', 'npm')
| where FileName in~ ('powershell.exe', 'cmd.exe', 'pwsh.exe', 'bash', 'sh')
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, CommandLine, FileName, FolderPath
| order by Timestamp desc
// Network connections spawned by Node.js to external IPs, excluding standard ports
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ 'node.exe'
| where RemotePort !in (80, 443, 8080)
| extend RiskScore = iff(RiskScore > 0, RiskScore, 1)
| project Timestamp, DeviceName, InitiatingProcessCommandLine, RemoteIP, RemotePort, RemoteUrl, RiskScore
| order by Timestamp desc
Velociraptor VQL
VQL — Velociraptor
-- Hunt for Node.js processes with open network connections or suspicious command lines
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Name =~ 'node'
AND (CommandLine =~ 'eval'
OR CommandLine =~ 'http'
OR CommandLine =~ '.env')
-- Cross-reference with network connections
SELECT P.Pid, P.Name, P.CommandLine, N.RemoteAddress, N.RemotePort
FROM pslist() AS P
LEFT JOIN netstat() AS N ON P.Pid = N.Pid
WHERE P.Name =~ 'node' AND N.RemoteAddress NOT IN ('127.0.0.1', '::1', '0.0.0.0')
Remediation Script (Bash)
This script audits package. files for scripts containing keywords often abused by malware (curl, wget, powershell, cmd, eval) and lists recently modified node_modules.
Bash / Shell
#!/bin/bash
echo "[+] Scanning for suspicious package. scripts..."
# Find all package. files in the current directory recursively
find . -name "package." -type f | while read -r file; do
# Check for common malicious patterns in scripts section
if grep -qiE '("preinstall"|"postinstall"|"install")' "$file"; then
echo "[!] Potential install scripts found in: $file"
# Print the scripts section for review
jq -r '.scripts' "$file" 2>/dev/null || cat "$file"
fi
done
echo "[+] Checking for recently modified node_modules (last 7 days)..."
find ./node_modules -type d -mtime -7 -ls 2>/dev/null | head -n 20
echo "[+] Running standard npm audit..."
npm audit --audit-level=moderate
echo "[!] Manual Review Required: Verify all dependencies in package-lock. against known trusted sources."
Remediation
- Immediate Audit: Run
npm auditin all development and production environments. While this catches known vulnerabilities, you must manually verify dependencies against the Microsoft Threat Intelligence report for the specific malicious package names associated with Mastra AI. - Dependency Verification: Review
package-lock.oryarn.lock. Look for typosquatted packages (e.g.,react-scriptvsreact-scripts). Remove any unrecognized dependencies. - Credential Rotation: If you believe a malicious package was executed in your environment, assume credentials are compromised. Rotate all API keys, secrets, and tokens accessible to the CI/CD pipeline or affected workstations.
- Network Restrictions: Block outbound internet access from build agents where possible. If build agents require internet access, restrict it to specific, required endpoints (e.g.,
registry.npmjs.org). - Vendor Advisory: Monitor updates from Microsoft Security and the npm Advisory Database for the full list of Indicators of Compromise (IoCs) related to this campaign.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
cvezero-daypatch-tuesdayexploitvulnerability-disclosuresupply-chainnpmsapphire-sleet
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.