Microsoft's threat intelligence team has linked a sweeping supply chain attack against the Mastra AI framework to Sapphire Sleet, a North Korean state-sponsored hacking group also tracked as BlueNoroff. The campaign compromised more than 140 npm packages, marking one of the most significant supply chain incidents to specifically target artificial intelligence infrastructure.
A Strategic Shift Toward AI Targets
The attack underscores a notable evolution in the tactics of nation-state cyber operations. Rather than pursuing more traditional software targets, Sapphire Sleet zeroed in on the Mastra AI framework — a toolchain used by developers building AI-powered applications. By poisoning packages within the npm ecosystem, the group positioned itself to potentially intercept code execution across a wide range of downstream projects and organisations relying on the compromised modules.
Sapphire Sleet has long been associated with financially motivated cybercrime and cryptocurrency theft on behalf of the North Korean regime. The group's pivot toward AI-related supply chains suggests that attackers recognise the growing centrality of machine learning tooling in enterprise software stacks. Compromising an AI framework at the dependency level could grant access to sensitive model pipelines, training data, and proprietary inference logic — assets of considerable strategic and economic value.
npm's Persistent Weakness
The incident once again highlights the security challenges inherent in the npm ecosystem. With its deeply nested dependency structures and a culture of rapid, community-driven package publication, npm has become a recurring battleground for supply chain attackers. Previous campaigns — including the widely reported event-stream incident and numerous typosquatting schemes — have demonstrated how a single compromised package can cascade through thousands of downstream consumers.
In this case, more than 140 packages were affected, amplifying the potential blast radius. Developers who pulled these dependencies into their projects may have unknowingly introduced malicious code into production environments, CI/CD pipelines, or development machines.
Response and Recommended Actions
Microsoft has published indicators of compromise (IOCs) and a list of affected package names to help developers audit their projects. Security teams are urged to cross-reference their dependency trees against these identifiers immediately.
Mastra AI's maintainers and the npm security team are actively working to remove compromised packages from the registry and revoke associated credentials. However, given the scale of the campaign — over 140 packages — remediation is expected to be an ongoing process, and developers should not assume that removal from the public registry fully neutralises the threat in environments where packages have already been installed.
For organisations building on AI frameworks, the following steps are strongly recommended:
- Audit dependencies now. Compare your
package-lock.jsonoryarn.lockfiles against Microsoft's published IOCs and flagged package names. - Adopt SBOM practices. Maintain a software bill of materials for every project so that exposure to compromised packages can be rapidly assessed.
- Verify provenance. Prefer packages with signed releases, reproducible builds, and transparent maintainer histories — especially for ML and AI libraries that touch sensitive data or model pipelines.
- Monitor for behavioural anomalies. Compromised AI dependencies could exfiltrate training data, manipulate model outputs, or introduce backdoors into inference stages. Runtime monitoring and integrity checks should be standard practice.
What It Means for the Community
Microsoft's attribution serves as a reminder that the open-source software supply chain remains a high-priority attack vector for well-resourced threat actors. The targeting of AI-specific frameworks adds a new dimension to an already urgent problem: a compromised machine learning library does not merely expose data — it can corrupt the behaviour of intelligent systems in ways that are difficult to detect through conventional security tooling.
As AI tooling becomes embedded in critical workflows across industries, the security posture of the frameworks developers rely on will increasingly determine the resilience of the organisations that adopt them. The Sapphire Sleet campaign is a stark illustration of what happens when that posture falls short — and a clear signal that AI supply chains demand the same rigour applied to any other critical infrastructure.
微軟的威脅情報團隊已將針對 Mastra AI 框架的大規模供應鏈攻擊,歸因於一個名為 Sapphire Sleet 的朝鮮政府資助黑客組織(亦被追蹤為 BlueNoroff)。此次攻擊活動入侵了超過 140 個 npm 套件,標誌著有史以來針對人工智能基礎設施的最重大供應鏈事件之一。
策略轉向針對人工智能目標
此次攻擊凸顯了國家級網絡作戰策略的顯著演變。Sapphire Sleet 並未追求更傳統的軟件目標,而是瞄準了 Mastra AI 框架——這是一套開發者用於構建人工智能應用程式的工具鏈。通過向 npm 生態系統內的套件注入惡意程式碼,該組織得以潛在地攔截廣泛依賴這些受損模組的下游項目和機構的程式碼執行。
Sapphire Sleet 長期以來一直與為朝鮮政權服務的、以經濟利益為動機的網絡犯罪和加密貨幣盜竊活動相關聯。該組織轉向攻擊與人工智能相關的供應鏈,表明攻擊者認識到機器學習工具在企業軟件堆棧中日益增長的核心地位。在依賴關係層面入侵一個人工智能框架,可能使其獲取對敏感的模型流水線、訓練數據和專有推理邏輯的訪問權限——這些都是具有重大戰略和經濟價值的資產。
npm 的持續性弱點
此事件再次凸顯了 npm 生態系統固有的安全挑戰。憑藉其深度嵌套的依賴結構以及快速、社區驅動的套件發布文化,npm 已成為供應鏈攻擊者反覆交鋒的戰場。先前的攻擊活動——包括廣為人知的 event-stream 事件和眾多的域名欺騙(typosquatting)計劃——已證明單一一個受損套件如何能影響成千上萬的下游使用者。
在此案例中,超過 140 個套件受到影響,放大了潛在的波及範圍。將這些依賴項引入其項目的開發者,可能已在不知情的情況下,將惡意程式碼引入了生產環境、CI/CD 流水線或開發機器。
應對措施與建議行動
微軟已發布入侵指標(IOCs)和受影響的套件名稱列表,以幫助開發者審計其項目。安全團隊被敦促立即根據這些標識符交叉比對其依賴關係樹。
Mastra AI 的維護者和 npm 安全團隊正積極努力,從套件庫中移除受損套件並撤銷相關憑證。然而,鑑於此次攻擊活動的規模(超過 140 個套件),預計補救工作將是一個持續的過程,開發者不應假設從公共套件庫中移除,就能完全消除在已安裝這些套件的環境中的威脅。
對於基於人工智能框架進行構建的組織,強烈建議採取以下步驟:
- 立即審計依賴項。 將你的
package-lock.json或yarn.lock文件與微軟發布的入侵指標及標記的套件名稱進行比對。 - 採用 SBOM(軟件物料清單)實踐。 為每個項目維護一份軟件物料清單,以便快速評估對受損套件的暴露情況。
- 驗證來源。 優先選擇具有簽署發布、可重複構建以及透明維護者歷史的套件——尤其是那些涉及敏感數據或模型流水線的機器學習和人工智能庫。
- 監控行為異常。 受損的人工智能依賴項可能竊取訓練數據、操縱模型輸出,或在推理階段引入後門。運行時監控和完整性檢查應成為標準做法。
對社群的意義
微軟的歸因分析提醒我們,開源軟件供應鏈對於資源充足的威脅行為者而言,仍然是一個高優先級的攻擊向量。針對特定人工智能框架的攻擊為這一已然緊迫的問題增添了新的維度:一個受損的機器學習庫不僅僅是暴露數據——它可能以難以通過傳統安全工具偵測的方式,破壞智能系統的行為。
隨著人工智能工具嵌入到各個行業的關鍵工作流程中,開發者所依賴框架的安全態勢,將日益決定採用它們的組織的韌性。Sapphire Sleet 的攻擊活動鮮明地說明了當安全態勢不足時會發生什麼——同時也是一個明確的信號,表明人工智能供應鏈需要與任何其他關鍵基礎設施同樣嚴格的保障措施。