Sapphire Sleet
Sapphire Sleet, also known as BlueNoroff, is described by Microsoft as a North Korean state actor that primarily targets the financial sector. Microsoft attributed the June 2026 Mastra AI npm supply chain compromise to Sapphire Sleet with high confidence, and also said the group was responsible for a separate npm supply chain attack on the Axios HTTP client in April 2026. In the Mastra intrusion, the attackers compromised the npm maintainer account "ehindero" and used its publishing privileges to push malicious updates to more than 140 @mastra packages. The malicious updates added a typosquatted dependency, "easy-day-js," which executed a post-install hook when the packages were installed. Microsoft reported that the obfuscated dropper disabled TLS certificate verification, contacted attacker-controlled infrastructure, downloaded a second-stage payload, and executed it as a detached hidden process. The second stage was a cross-platform information stealer targeting Windows, Linux, and macOS. It collected host information, browser histories, installed applications, running processes, and checked for 166 cryptocurrency wallet browser extensions, including MetaMask, Phantom, Coinbase Wallet, Binance Wallet, and TronLink. The malware used Windows Registry Run keys, LaunchAgents, and systemd services for persistence. Microsoft said infected systems also showed follow-on activity associated with Sapphire Sleet, including deployment of a previously observed PowerShell backdoor, additional persistence mechanisms, Microsoft Defender exclusions, and a malicious Windows service granting SYSTEM privileges. Microsoft further stated that the PowerShell backdoor, tradecraft, and command-and-control infrastructure had been used by Sapphire Sleet in prior campaigns. The reporting also states that this activity aligns with Sapphire Sleet’s history of cryptocurrency theft, malicious browser extensions, fake job offers, and prior software supply chain compromises. Known alias in the provided content: BlueNoroff.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Software & Services
Where they're from
Attributed origin per open-source reporting.
- KP
Tradecraft
15 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
1 malware family attributed to this actor across reporting.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Associated in the content with a Mastra npm supply chain compromise involving a postinstall payload.
Conducted a software supply chain attack against the Mastra npm ecosystem by compromising a maintainer account, publishing malicious package updates, deploying a malware dropper and second-stage information stealer, and stealing credentials, API keys, authentication tokens, and cryptocurrency wallets. The group is also described as primarily targeting the financial sector and conducting cryptocurrency theft campaigns.
Referenced as the threat actor Microsoft attributed to an earlier 2026 Axios npm compromise whose tradecraft closely overlaps this campaign, including npm package compromise, staged malware delivery, and cryptocurrency wallet theft.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.