惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

有赞技术团队
有赞技术团队
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
aimingoo的专栏
aimingoo的专栏
IT之家
IT之家
G
Google Developers Blog
爱范儿
爱范儿
博客园 - 司徒正美
Recent Announcements
Recent Announcements
The Register - Security
The Register - Security
J
Java Code Geeks
The Cloudflare Blog
M
MIT News - Artificial intelligence
Apple Machine Learning Research
Apple Machine Learning Research
Microsoft Security Blog
Microsoft Security Blog
博客园 - Franky
雷峰网
雷峰网
酷 壳 – CoolShell
酷 壳 – CoolShell
Blog — PlanetScale
Blog — PlanetScale
Vercel News
Vercel News
宝玉的分享
宝玉的分享
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
B
Blog
小众软件
小众软件
Microsoft Azure Blog
Microsoft Azure Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
WordPress大学
WordPress大学
T
Troy Hunt's Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
H
Hacker News: Front Page
H
Help Net Security
S
Security @ Cisco Blogs
V
V2EX
Security Archives - TechRepublic
Security Archives - TechRepublic
Stack Overflow Blog
Stack Overflow Blog
O
OpenAI News
L
LINUX DO - 最新话题
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
S
Secure Thoughts
Help Net Security
Help Net Security
F
Full Disclosure
博客园 - 叶小钗
The Hacker News
The Hacker News
Spread Privacy
Spread Privacy
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Jina AI
Jina AI
K
Kaspersky official blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
V
Vulnerabilities – Threatpost
P
Privacy International News Feed
Scott Helme
Scott Helme

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Nation-State Actors Are Now Targeting Your AI Agent's npm Packages
Toni Antunovic · 2026-06-26 · via DEV Community

Toni Antunovic

This article was originally published on LucidShark Blog.


On June 17, 2026, Microsoft Threat Intelligence published a report attributing a supply chain attack on more than 140 packages in the @mastra npm scope to Sapphire Sleet, a North Korean state-sponsored threat actor. Mastra is a TypeScript framework for building agentic AI applications. Its packages are used by teams building Claude Code integrations, MCP servers, and autonomous coding pipelines. The attack vector was a postinstall hook. The payload stole AI provider API keys, cloud credentials, and CI/CD tokens.

This is not a story about an opportunistic criminal trying to make a quick profit from stolen package manager credentials. This is a nation-state actor making a deliberate, strategic decision that the most valuable target in modern software development is the developer building AI coding tools.

Scope of the Mastra attack: 140+ packages across the @mastra and mastra npm scopes were compromised in a coordinated campaign attributed by Microsoft Threat Intelligence to Sapphire Sleet (also tracked as BlueNoroff). Affected versions contained a postinstall payload designed to exfiltrate AI API keys, GitHub tokens, and cloud service credentials from developer machines.

What Happened in the Mastra Attack

The attack followed the same broad pattern as the Miasma Red Hat npm campaign from June 1, but with a critical difference in targeting. Where Miasma went after Red Hat infrastructure teams, Sapphire Sleet went after AI tool builders specifically.

The attack injected a postinstall script into compromised package versions. When a developer ran npm install, the hook executed silently before any visible output, scanning the local environment for:

  • AI provider API keys: Anthropic, OpenAI, Gemini, Mistral

  • GitHub personal access tokens and fine-grained tokens

  • AWS, GCP, and Azure credential files

  • Claude Code configuration files (~/.claude.json and ~/.claude/)

  • MCP server OAuth tokens stored in Claude Code's config

The exfiltration used an HTTPS beacon to attacker-controlled infrastructure. The full execution completed in under two seconds, before most developers would notice anything amiss in terminal output.

Timeline: Malicious versions were published between June 14 and June 17, 2026. Microsoft Threat Intelligence published the attribution report on June 17. Affected packages were revoked from npm within hours of disclosure. Developers who ran npm install on any Mastra package between June 14 and June 17 should assume credential compromise and rotate immediately.

Why Nation-State Actors Are Targeting AI Developer Tooling

The strategic logic is clear once you map what a developer machine holds compared to any other target in the organization.

A developer building AI coding infrastructure has, in a typical session:

  • An Anthropic API key, often with no spend cap, capable of generating thousands of dollars in usage or accessing shared team workspaces

  • A GitHub PAT with write access to the repositories being worked on

  • Cloud credentials (AWS, GCP, Azure) for the environments the agent deploys to

  • MCP OAuth tokens granting access to Jira, Confluence, Linear, Slack

  • Local access to the codebase itself, often including internal services, private endpoints, and embedded secrets in config files

This is a higher-value credential bundle than what lives on most corporate workstations. It also lives on a machine where the developer is constantly installing new packages, spinning up new MCP servers, and integrating new tools. The attack surface is not static: it grows every time the developer adds a new dependency to an AI workflow.

Sapphire Sleet has previously focused on financial services targets, cryptocurrency exchanges, and defense contractors. The pivot to AI developer tooling is a signal that state actors have mapped the credential landscape and identified AI coding tool developers as a high-yield target category.

The Autonomous Agent Problem

Traditional supply chain defenses assume a human in the loop. A developer who is suspicious of a package can review its source before running it. A security team can add a mandatory approval step before new packages are introduced to a project.

AI coding agents break this assumption entirely.

When Claude Code decides to install a dependency as part of an agentic workflow, the installation happens automatically. The agent reads the task, determines that @mastra/core is needed, runs npm install @mastra/core, and proceeds. No human reviews the package. No human approves the install. The postinstall hook executes with the developer's full filesystem permissions, including read access to every credential file on the machine, before a human sees any output at all.

# This is what an autonomous Claude Code install looks like
# The agent selects the package, installs it, and the postinstall fires
# before any human review can occur

$ claude --task "set up mastra agentic framework for this project"
> Installing @mastra/core@0.11.4...
> Running postinstall...    ← malicious payload fires here, silently
> Done in 2.8s
> Framework initialized. Here is your starter config:

The developer sees a successful install. The payload has already run. The credentials are already gone.

Why Standard Defenses Failed

Four mechanisms that developers typically rely on for supply chain protection all failed against this attack:

npm audit: The malicious package had no existing CVE at installation time. npm audit checks against the npm advisory database, which only populates after a vulnerability is discovered and reported. It is inherently retrospective. Packages are clean until they are not.

SLSA provenance: The Mastra attack forged provenance attestations using the same technique as the Miasma campaign: the attackers obtained a legitimate GitHub OIDC token from a compromised CI/CD pipeline and used it to publish packages with valid, verifiable SLSA provenance. The package passed npm audit signatures and appeared to have a legitimate supply chain.

Dependabot / Renovate: These tools alert on known-vulnerable versions. They do not inspect package behavior or flag packages with newly added install scripts.

Code review: The malicious code was in the postinstall script of a transitive dependency, not in the application source. Most teams do not review transitive dependency install scripts as part of their PR process.

The core problem: Every standard supply chain defense is reactive. It assumes you can wait until a vulnerability is known, documented, and added to a feed. Against a nation-state actor publishing a malicious package and pulling it within hours of discovery, the window between "clean" and "known bad" is the entire attack window.

What Pre-Install Scanning Catches That npm audit Misses

The only class of defense that works against zero-day supply chain attacks is behavioral and reputational analysis run before the install script executes. This requires checking properties of the package itself, not its advisory status.

The signals that would have flagged the Mastra attack before the payload ran:

  • New postinstall script in a previously clean package: The malicious versions added a postinstall field that did not exist in prior versions. A diff of the package manifest across versions is a high-signal indicator.

  • Publish timestamp anomaly: Multiple versions of related packages published within a short window (hours) is a pattern consistent with a compromised publishing pipeline.

  • Script content analysis: The postinstall script contained base64-encoded content and a network request. Both are strong indicators of malicious intent in an install hook.

  • Package reputation score: A secondary package in the @mastra scope with a low download count and no prior install scripts that suddenly gains a postinstall hook is anomalous.

Here is a quick local audit you can run right now to identify packages with lifecycle scripts in your current project:

python3 -c "
import json, sys

with open('package-lock.json') as f:
    lock = json.load(f)

packages = lock.get('packages', {})
risky = []

for name, meta in packages.items():
    scripts = meta.get('scripts', {})
    hooks = [s for s in ['postinstall', 'install', 'preinstall'] if s in scripts]
    if hooks:
        risky.append({
            'name': name or '(root)',
            'hooks': hooks,
            'version': meta.get('version', 'unknown'),
            'resolved': meta.get('resolved', '')[:60]
        })

print(f'Packages with lifecycle scripts: {len(risky)}')
for pkg in sorted(risky, key=lambda x: x['name']):
    print(f'  {pkg[\"name\"]}@{pkg[\"version\"]}')
    print(f'    hooks: {pkg[\"hooks\"]}')
    print(f'    source: {pkg[\"resolved\"]}...')
    print()
"

Any package in this list that you do not explicitly recognize and trust is worth auditing before the next npm install run.

What To Do Right Now

If you installed any package in the @mastra scope between June 14 and June 17, 2026:

  • Rotate your Anthropic API key immediately at console.anthropic.com

  • Revoke and regenerate any GitHub personal access tokens

  • Rotate AWS, GCP, or Azure credentials used on the affected machine

  • Revoke MCP OAuth tokens in each connected service (Jira, GitHub, Confluence, Slack) and reissue with minimal required scopes

  • Check ~/.claude.json for stored credentials and rotate everything found there

For ongoing protection, add postinstall script auditing to your pre-commit or pre-install workflow. Before any npm install run in an AI-assisted project, check whether any package in the dependency tree has added or modified a lifecycle script compared to the last known-clean lockfile.

LucidShark includes dependency lifecycle script scanning as part of its local SCA pipeline. Running lucidshark analyze in your project flags packages with postinstall hooks from unverified or recently modified publishers before they execute, alongside complexity, coverage, and duplication metrics. It runs entirely on your machine, with no data leaving your environment, and integrates with Claude Code via MCP so your agent gets structured feedback before installing flagged packages. Get started at lucidshark.com or install with npm install -g lucidshark.