The Target Has Shifted
Supply chain attacks have historically targeted the legacy web — WordPress plugins, jQuery extensions, PHP packages. The Mastra compromise marks a shift. The target was not a legacy CMS component. It was a cutting-edge TypeScript framework for building AI agents, workflows, and RAG pipelines. Mastra has approximately 8 million weekly downloads on npm. The attacker was not a lone wolf or a criminal syndicate. It was Sapphire Sleet — Microsoft's designation for a North Korean state-sponsored group also known as BlueNoroff.
On June 17, 2026, Microsoft attributed the attack. The group compromised the npm maintainer account "ehindero" and published 141 poisoned packages across the @mastra scope in a 45-minute window. The malicious packages included a typosquat called easy-day-js (mimicking the legitimate dayjs library) that ran a postinstall hook to disable TLS verification, contact command-and-control infrastructure, and deploy a second-stage payload targeting cryptocurrency wallet browser extensions.
npm install Was the Entire Attack
The payload executed during npm install — before any application code ran, before any developer reviewed the dependency, before any security scanner could evaluate the import. The postinstall hook is a feature of npm's package lifecycle. It runs arbitrary code with the privileges of whoever executed the install command. In a CI/CD pipeline, that is typically a service account with access to deployment secrets, cloud credentials, and production infrastructure.
This is the same attack vector WebPulse has documented in the Shai-Hulud (57 npm packages) and Miasma (32 @redhat-cloud-services packages) campaigns. The difference is attribution and target. Shai-Hulud and Miasma were criminal operations targeting broad developer populations. Mastra was a nation-state operation targeting the AI agent development ecosystem specifically.
Why AI Frameworks Are High-Value Targets
AI agent frameworks occupy a unique position in the software supply chain. They are adopted rapidly — Mastra went from launch to 8 million weekly downloads in months. They are integrated deeply — AI agents connect to databases, APIs, cloud services, and authentication systems. And they are trusted implicitly — developers building AI agents are focused on capability, not on auditing the framework's dependency tree.
For a nation-state actor focused on cryptocurrency theft (Sapphire Sleet's documented objective), compromising an AI agent framework provides access to exactly the environments where crypto wallets, API keys, and financial credentials are likely to be present. The developers building AI trading bots, financial analysis agents, and crypto portfolio tools are the highest-value targets — and they are the most likely Mastra users.
Framework Choice Is Now a Geopolitical Decision
WebPulse tracks 22 web frameworks on security posture, AI readiness, and ecosystem health. The Mastra compromise introduces a dimension that did not exist in our scoring two years ago: nation-state targeting probability. Frameworks with large adoption in AI, fintech, and defense-adjacent industries carry higher state-sponsored attack risk. The supply chain risk is no longer just about code quality or maintainer hygiene. It is about whether your framework's ecosystem is on a nation-state target list.
For every CTO evaluating AI agent frameworks: Mastra's 141 compromised packages were live for less than 90 minutes before detection. That is fast. But npm install runs in seconds. The question is not whether your security team can respond in 90 minutes. It is whether your CI/CD pipeline ran npm install during those 90 minutes. If it did, the response time is irrelevant.
