What Happened

Microsoft Threat Intelligence has attributed a sophisticated supply chain attack targeting the Mastra AI framework to state-sponsored actors operating out of the Democratic People’s Republic of Korea (DPRK). The compromise, discovered in early June 2026, represents a strategic escalation in North Korean cyber operations, pivoting from traditional financial heist motives toward the emerging AI/ML orchestration ecosystem.

Mastra AI is a rapidly growing open-source framework used to orchestrate multi-agent AI workflows, integrate large language models, and manage tool chains across enterprise AI deployments. Microsoft’s investigation confirmed that DPRK operatives successfully injected malicious code into a Mastra AI dependency package, creating a backdoor that propagated to downstream projects upon installation.

The campaign bears the hallmarks of Diamond Sleet (also tracked as Lazarus Group sub-cluster), a DPRK-aligned threat actor known for supply chain intrusions and software build-environment compromises. Timing overlaps with broader North Korean interest in exfiltrating AI model architectures, training pipelines, and proprietary agent orchestration logic from Western technology firms.

Attack Vector

The attack exploited the trust model inherent in the npm/JavaScript package ecosystem that Mastra AI depends upon. Key elements of the attack chain include:

• Dependency Hijack: Attackers compromised a transitive dependency used by the Mastra AI core package, inserting obfuscated JavaScript payloads that executed during npm install lifecycle scripts.
• Typosquatting & Dependency Confusion: In parallel, malicious packages with names closely resembling legitimate Mastra plugins were published to the public npm registry, tricking developers performing casual searches or manual installations.
• Build-Environment Compromise: The tampered package included a preinstall script that contacted DPRK-controlled command-and-control (C2) infrastructure, exfiltrated environment variables, SSH keys, and .npmrc tokens, and downloaded secondary payloads for persistent access.
• Watering-Hole via AI Tools: Once embedded in a victim’s development or CI/CD environment, the malware scanned for other AI orchestration frameworks — including LangChain, CrewAI, and AutoGen — and injected itself into their local dependency caches, broadening the lateral blast radius beyond Mastra users alone.

The malicious package versions have been taken down from npm, but any project that ran npm install or npm update during the exposure window (approximately May 20 – June 12, 2026) may retain the compromised dependency in its node_modules or lockfile.

Impact

The blast radius of this campaign is significant due to the interconnected nature of the AI orchestration ecosystem:

• Mastra AI Users: Direct compromise via the tampered dependency. Any environment that pulled the affected package versions is at risk of credential theft and persistent backdoor access.
• LangChain Users: The malware actively targets LangChain installations, injecting malicious code into local LangChain package caches. Enterprise LangChain deployments co-located with Mastra projects are especially exposed.
• CrewAI Users: Similarly targeted through the malware’s lateral movement logic. CrewAI’s agent-based task execution could be hijacked to run attacker-controlled workflows.
• CI/CD Pipelines: Build environments running Mastra-based AI agents often hold elevated cloud credentials, Kubernetes service tokens, and model registry access keys — all valuable targets for DPRK operators seeking to pivot into cloud infrastructure and model storage.
• Model Exfiltration: The secondary payloads included functionality to enumerate and exfiltrate fine-tuned model weights, embedding databases, and prompt libraries from connected storage.

Microsoft assesses with moderate confidence that the operation’s primary objective was long-term persistent access to AI development environments rather than immediate financial gain — a shift from historically observed DPRK behavior.

Fix

Organizations using Mastra AI, LangChain, CrewAI, or any AI orchestration framework in the npm ecosystem should take the following immediate remediation steps:

1. Audit Dependencies

• Run npm audit and npm ls across all AI/ML projects to identify anomalous or unexpected packages.
• Review package-lock.json and yarn.lock files for any dependency versions pulled during the May 20 – June 12, 2026 window.
• Use npm view <package> versions to verify that every dependency in your tree comes from a legitimate, currently published version.
• Pay special attention to packages with names containing slight misspellings of mastra, langchain, or crewai.

2. Verify Package Integrity

• Wipe node_modules directories and reinstall from a clean lockfile after confirming all dependencies are benign.
• Use npm pack --dry-run and npm integrity checks to validate that downloaded packages match registry checksums.
• Pin exact versions in package.json rather than relying on semver ranges (^ or ~) to prevent unexpected resolution to malicious versions.
• Implement a private npm proxy (e.g., Verdaccio, JFrog Artifactory) with allow-list policies for AI/ML packages.

3. Restrict Egress

• Block outbound network access from CI/CD build nodes to unknown or newly registered domains.
• Ensure development environments and build runners cannot initiate connections to DPRK-linked IP ranges or newly created cloud infrastructure.
• Restrict preinstall, postinstall, and other npm lifecycle scripts with --ignore-scripts on CI runners unless explicitly required and audited.
• Monitor and alert on outbound connections from node processes to non-allow-listed destinations during package installation phases.

4. Rotate Credentials

• Rotate all secrets exposed to environments where affected packages may have been installed: npm tokens, GitHub personal access tokens, cloud API keys, SSH keys, and CI/CD variables.
• Audit cloud audit logs (AWS CloudTrail, GCP Audit Logs, Azure Monitor) for anomalous API calls originating from developer IPs or build infrastructure during the exposure window.

Recommendations

1. Assume Breach: Treat any environment that ran Mastra AI, LangChain, or CrewAI installations between May 20 and June 12, 2026 as potentially compromised. Conduct forensic triage rather than waiting for confirmation.
2. Implement Software Bill of Materials (SBOM): Generate and maintain SBOMs for all AI/ML projects to enable rapid dependency tracking when future supply chain events occur.
3. Enforce Code Signing: Require signed commits and signed packages in AI/ML pipelines. Verify signatures of third-party dependencies before allowing installation.
4. Network Segmentation: Isolate AI development environments from production model-serving infrastructure and cloud control planes. Use network policies to restrict lateral movement.
5. Threat Hunt: Search for IOCs associated with this campaign — Microsoft has published a full indicator list in their threat intelligence portal. Key indicators include specific C2 domains, file hashes of the malicious packages, and registry manipulation artifacts.
6. Stay Informed: Monitor Microsoft Security Response Center (MSRC), CISA alerts, and npm security advisories for updates as the investigation continues.

References

• Microsoft Threat Intelligence — Diamond Sleet supply chain attack targets AI orchestration platforms (June 2026)
• npm Security Advisory — Malicious packages targeting Mastra AI ecosystem (GHSA-xxxx-xxxx-xxxx)
• CISA Alert AA26-xxxA — DPRK Cyber Operations Targeting AI/ML Supply Chain
• Mastra AI Security Advisory — mastra.ai/security/advisories/2026-06
• MITRE ATT&CK — Supply Chain Compromise (T1195), Trusted Relationship (T1199)
• LangChain Security Bulletin — Dependency verification guidance for LangChain deployments
• CrewAI Security Notice — Impact assessment and remediation steps for CrewAI users