A sophisticated supply chain campaign, attributed to the suspected threat actor TeamPCP, has simultaneously targeted the Mastra AI framework via npm, GitHub Actions CI/CD workflows, and the Arch Linux User Repository (AUR). The attack utilized dormant contributor account takeovers to poison the @mastra npm scope using the easy-day-js dependency and hijacked GitHub Action version tags to exfiltrate CI/CD credentials. Additionally, over 1,500 AUR packages were compromised with eBPF-based rootkit malware. This coordinated infrastructure, linked by the "Mini Shai-Hulud" worm, facilitates widespread code execution, credential theft, and persistent rootkit deployment across development, DevOps, and end-user Linux environments.
-
Incident Overview and Scope
- Targeted Ecosystems: Simultaneous strikes against the npm registry (@mastra scope), GitHub Actions (DevOps pipelines), and the Arch Linux User Repository (AUR).
- Scale of Impact: Compromise of 144 Mastra AI packages, redirection of widely-used GitHub Actions, and infection of approximately 1,500 AUR packages.
- Coordinated Infrastructure: The campaign is unified by the "Mini Shai-Hulud" worm, linking disparate attack vectors into a single, multi-stage operation.
-
Attack Vector Mechanics
- npm Dependency Poisoning: Attackers utilized dormant contributor account takeovers to inject malicious code into the
@mastrascope, specifically leveraging theeasy-day-jsdependency for resolution hijacking. - CI/CD Tag Hijacking: Exploited
actions-coolworkflows by redirecting version tags, allowing the interception and exfiltration of sensitive GitHub Actions secrets. - Linux Kernel Exploitation: Deployed eBPF-based rootkit-like malware within the AUR to achieve stealthy, high-privilege persistence on Linux-based user environments.
- npm Dependency Poisoning: Attackers utilized dormant contributor account takeovers to inject malicious code into the
-
Malware and Payload Profile
- Shai-Hulud/Mini Shai-Hulud: A sophisticated worm/infrastructure used to bridge the gap between npm dependency poisoning and CI/CD hijacking.
- Payload Functionality: Payloads include cross-platform cryptocurrency stealers and deep-system rootkits designed for long-term environmental persistence.
- Evasion Techniques: Utilization of eBPF allows for kernel-level stealth, making detection via traditional user-space security tooling difficult.
-
Threat Actor Profile and Systemic Risk
- Attribution: The complexity and coordination of the campaign strongly suggest the involvement of the TeamPCP threat group.
- Lifecycle Compromise: The attack demonstrates an ability to compromise the entire software development lifecycle (SDLC), from AI framework development to production deployment.
- Strategic Impact: The targeting of AI ecosystems (Mastra) and DevOps tooling (GitHub Actions) indicates a high-intent focus on modern enterprise infrastructure.
-
Defensive Recommendations
- Supply Chain Integrity: Implement strict dependency pinning and integrity verification (e.g., SHA-256 hashes) rather than relying on floating version tags or semantic versioning.
- CI/CD Hardening: Use immutable commit SHAs for all GitHub Actions to prevent version tag hijacking and secret exfiltration.
- Linux Security Monitoring: Deploy eBPF-aware security monitoring to detect unauthorized kernel-level programming and anomalous system calls.
Related posts
- appsec.fyi — Mastra AI Framework Poisoned in npm Supply-Chain Attack
- microsoft.com — From package to postinstall payload: Inside the Mastra npm supply chain compromise
- appsec.fyi — A Forgotten Contributor Account Compromised the Entire Mastra npm Package Scope
- penligent.ai — Mastra npm Supply Chain Attack, What easy-day-js Did and How to Respond
- Hexnode Blog — Mastra npm Supply-Chain Attack Compromises 144 AI Framework Packages
- techjacksolutions.com — Tag Hijacking in actions-cool Workflows Exposes CI/CD Pipelines to Active Credential Exfiltration
- threatlocker.com — The Mastra supply chain attack wasn't about AI
- Labs
- Privacyguides
- Stepsecurity
- bleepingcomputer.com — Microsoft links Mastra AI supply chain attack to North Korean hackers
- techjacksolutions.com — Sapphire Sleet Escalates npm Campaign: 140+ Mastra AI Packages Weaponized to Harvest Credentials and Crypto Wallets
- Daily
- threat-modeling.com — North Korean Hackers Linked to Mastra AI Supply Chain Attack — AI/ML Ecosystem Targeted
- gbhackers.com — Sapphire Sleet Hijacks npm Maintainer Account to Publish Poisoned Mastra Packages
- Cybersecurity News — North Korean Hackers Abuse Mastra npm Supply Chain to Target Developers and CI/CD Pipelines
- techjacksolutions.com — Weekly Security Intelligence Briefing — Week of 2026-06-22
- Aiweekly
- Bankinfosecurity
- Thehackernews
- Orca
- appsec.fyi — AUR suspends new registrations as 1500-plus malicious packages flood repository
- Safedep
- Stepsecurity
- Neuracybintel
- SecurityWeek — Atomic Arch Supply Chain Attack Hits 1,500 AUR Packages