At a glance
North Korea owned the supply-chain headlines this week, and the vector was npm. JFrog's threat-research team caught “easy-day-js” — a malicious package that piggybacked on a legitimate dependency update to compromise 144 Mastra AI framework packages, dropping a credential stealer that harvested cloud tokens, SSH keys, and .env secrets from any developer who ran npm install. Microsoft's subsequent attribution confirmed the campaign connects to Jade Sleet, the same North Korean cluster behind the 2023 npm supply-chain wave. Back-to-back in a single week: an attacker slipping a single package into a widely-used framework's dependency tree as a living-off-the-land technique rather than building and promoting fake packages from scratch.
The week's second thread is CI/CD pipeline exposure at the secrets and credentials layer. GitHub shipped AntiSSRF, an open-source library that blocks server-side request forgery from inside pipeline code — a concrete control for a class of abuse that quietly leaks cloud metadata and internal endpoints from build runners. Alongside it, a new open-source CI/CD abuse detector landed on Help Net Security, designed specifically to catch stolen-credential attacks against pipeline workflows. And a Dark Reading analysis of developer machine risk makes explicit what the Mastra campaign demonstrated: the developer workstation is now routinely the weakest link in an otherwise hardened pipeline, because it holds live registry credentials and sits outside most enterprise perimeter controls.
The foundational reading this week anchors the weekly incidents in structural context. The Agentjacking research from the Cloud Security Alliance is the canonical technical account of how MCP-based AI coding agents can be hijacked via crafted Sentry error events — a 2026-06-12 publication that now reads as a direct precursor to the Mastra attack's targeting of developer machines running agentic tooling. GitHub's 2026 Actions security roadmap — SHA pinning, scoped secrets, native egress filtering — maps directly to the credential-exfiltration patterns showing up in the weekly attacks. And the O'Reilly analysis of Kubernetes in the AI era connects the platform-hardening thread to the agentic workloads that are landing in clusters faster than most security policies can track them.
Topic map — North Korean npm supply-chain attack on Mastra AI packages, CI/CD pipeline credential exposure, agentjacking of AI coding agents, and the platform & policy controls that blunt them.
Article index
npm & registry supply-chain attacks
The Mastra/easy-day-js campaign as discovery, attribution, and structural context — plus the PyPI Hades campaign and the Codex credential-theft playbook that preceded it, showing how attackers are systematically targeting AI-framework developer ecosystems across registries.
- 144 Mastra npm packages compromised via easy-day-js (The Hacker News, Jun 17)
- Microsoft links Mastra attack to North Korean hackers (BleepingComputer, Jun 20)
- ‘Hades’ attacks on PyPI — a new spin on Shai-Hulud (Dark Reading, Jun 8) — foundational
- OpenAI Codex authentication tokens stolen via codexui-android npm (The Hacker News, Jun 1) — foundational
CI/CD & agentic-workflow hardening
Fresh tooling for securing pipeline credentials and flagging stolen-token abuse, alongside GitHub's roadmap for making Actions secure by default — directly responsive to the week's credential-exfiltration patterns.
- GitHub removes PAT requirement for agentic workflows (DevOps.com, Jun 15)
- Microsoft AntiSSRF open-source library (Help Net Security, Jun 17)
- Open-source CI/CD abuse detector guards against stolen-credential attacks (Help Net Security, Jun 15)
- GitHub to disable npm install scripts by default in npm v12 (The Hacker News, Jun 11) — foundational
- What’s coming to our GitHub Actions 2026 security roadmap (GitHub Blog, Mar 26) — foundational
Dev-tooling & AI coding agent threats
Agentjacking turns MCP-connected coding agents into code-execution vectors; malicious JetBrains plugins and the AUR campaign go directly after the AI API keys and cloud tokens that live on developer machines running those agents.
- Agentjacking: MCP/Sentry injection hijacks AI coding agents (Cloud Security Alliance, Jun 12) — foundational
- Malicious JetBrains plugins steal AI API keys from developers (BleepingComputer, Jun 10) — foundational
- Developer machines and the supply-chain security risk (Dark Reading, Jun 17)
- 400+ AUR packages hijacked: what “Atomic Arch” means for supply-chain security (StepSecurity, Jun 12) — foundational
Foundational: open source, compliance & platform
Two-thirds of the open-source community still unaware of the EU Cyber Resilience Act; Kubernetes security posture under AI-era pressure; and a structural gap in how organizations detect and respond to CI/CD compromise.
- Two-thirds of open-source community unaware of the Cyber Resilience Act (Infosecurity, Jun 8) — foundational
- Kubernetes in the Age of AI (O’Reilly Radar, Jun 18) — foundational
Detailed write-ups
01
144 Mastra npm packages compromised via easy-day-js dependency
JFrog's security research team discovered that a malicious update to the “easy-day-js” npm package compromised 144 packages in the Mastra AI framework ecosystem. The attacker inserted a credential-harvesting payload that executed at install time, scooping cloud tokens, SSH keys, and .env secrets from any developer workstation that ran npm install against an affected Mastra package. The technique — hijacking a shared transitive dependency rather than publishing a fake look-alike — is a notable evolution: it allows a single tampered package to propagate through a large, trusted dependency graph without triggering name-similarity detectors. Mastra is widely used in AI agent development, making the developer and build-machine population an attractive target. JFrog notified npm; the packages were pulled within hours of discovery.
02
Microsoft links Mastra AI supply-chain attack to North Korean hackers
Microsoft's threat intelligence team attributed the Mastra/easy-day-js npm campaign to Jade Sleet (also tracked as TEMP.Hermit), a North Korean cluster with a documented history of developer-targeted supply-chain operations including the 2023 npm wave. The attribution is operationally significant for DevSecOps teams: Jade Sleet is not an opportunist but a persistent actor that studies open-source developer tooling ecosystems before inserting payloads, meaning campaigns like this one reflect reconnaissance-then-insertion tradecraft rather than spray-and-pray. Microsoft's write-up details indicators of compromise and recommends auditing developer workstations, rotating any registry credentials that could have been present during the affected install window, and reviewing which Mastra package versions are pinned in internal pipelines.
03
‘Hades’ attacks on PyPI — a new spin on Shai-Hulud
Dark Reading covers the “Hades” campaign targeting PyPI with a fresh variation on the self-replicating Shai-Hulud worm technique: malicious packages that, when installed, scan the victim environment for developer credentials and use any registry tokens found to publish additional poisoned packages under the same or related namespaces. The self-amplifying model means an initial foothold in a single developer environment can propagate into a broader registry presence without additional attacker infrastructure. This is the PyPI-side complement to the npm story in articles 1 and 2, and a reminder that supply-chain actors are cross-registry in their targeting — the same playbook landing on both npm and PyPI within the same news cycle.
04
OpenAI Codex authentication tokens stolen via codexui-android npm package
Researchers found “codexui-android” on npm, a malicious package impersonating OpenAI's Codex tooling that exfiltrated authentication tokens from developer environments at import time. The targeting of Codex users is deliberate: developers building on AI coding APIs are a high-value target because their environments hold not just registry credentials but active API keys with billing scope and, in some cases, access to sensitive code repositories and build outputs. This case is an early-window example of the AI-framework credential-targeting pattern that the Mastra campaign escalated two weeks later. A reminder that any new AI-tooling namespace on npm is a typosquatting surface worth monitoring before your teams pull it.
05
GitHub removes PAT requirement for agentic workflows
GitHub announced that agentic workflows using GitHub Apps and fine-grained permissions can now operate without requiring a Personal Access Token, reducing the need for long-lived secrets in developer and CI environments. The change directly addresses one of the most persistent credential-hygiene problems in GitHub-based pipelines: PATs that accumulate broad repository scope, rarely rotate, and are the first thing a credential-harvesting npm payload looks for in a developer's environment. For teams already running agentic CI workflows or planning to adopt AI coding agents with GitHub integration, this is a meaningful hardening opportunity that removes a class of long-lived secret with minimal workflow disruption if migration is planned carefully.
06
Microsoft AntiSSRF open-source library
Microsoft open-sourced AntiSSRF, a library designed to prevent server-side request forgery from within application and pipeline code. SSRF from inside CI/CD runners is a lower-profile but persistent risk: a build that fetches external resources can be redirected to cloud metadata endpoints or internal services, leaking IAM credentials or internal network topology. AntiSSRF provides a defense-in-depth layer that can be dropped into build and application code without requiring infrastructure changes. The timing is notable — Microsoft has been publishing security tooling at a steady pace alongside its threat intelligence on the same attack surfaces, and AntiSSRF fits the pattern of tooling that addresses the specific runner-side vectors documented in the Mastra and Actions-exploitation research.
07
Open-source CI/CD abuse detector guards against stolen-credential attacks
A new open-source tool published this week is designed to detect abuse of CI/CD pipelines via stolen credentials — specifically the pattern where an attacker who has harvested a runner token or repository secret attempts to use it to trigger unauthorized workflow runs, push to protected branches, or exfiltrate artifacts. The detector monitors for anomalous usage patterns against a baseline of normal pipeline behavior, flagging activity that matches known stolen-credential playbooks. Given that the Mastra, Atomic Arch, and Codex campaigns all end with live credentials being harvested and reused, adding a detection layer at the pipeline-usage tier rather than only at the ingest tier is a meaningful defense-in-depth step for teams running GitHub Actions or similar platforms.
08
GitHub to disable npm install scripts by default in npm v12
GitHub announced that npm v12, expected in July, will no longer execute preinstall, install, and postinstall lifecycle scripts from dependencies by default — a change that requires projects to explicitly opt in to install-time script execution per package. This is the most consequential structural fix to the npm threat model in the current attack cycle: the Mastra, Shai-Hulud, and TeamPCP campaigns all exploit default automatic script execution to drop payloads at install time. The timing advice is practical: inventory which of your own builds currently depend on lifecycle scripts before the npm v12 default flips, so the change lands as a pipeline-hardening win rather than a broken build. Opting out of the new default to preserve convenience is the wrong call in 2026.
09
What’s coming to our GitHub Actions 2026 security roadmap
GitHub's roadmap for making Actions secure by default maps directly to the credential-exfiltration patterns appearing in the week's attacks: workflow-level dependency locking via SHA pinning, policy-driven execution through rulesets, scoped secrets, an Actions Data Stream for pipeline observability, and a native egress firewall for hosted runners. Egress filtering and scoped secrets in particular are the controls that would have blunted the payload delivery in the Mastra and AUR campaigns — both attackers needed network egress from build or developer hosts to exfiltrate harvested credentials. For any team building its CI/CD hardening baseline on GitHub Actions, this roadmap is the planning document to track and implement ahead of the default changes arriving later this year.
10
Agentjacking: MCP/Sentry injection hijacks AI coding agents (CSA primary research)
The Cloud Security Alliance's primary research note on “agentjacking” is the authoritative technical account of how crafted Sentry error events, submitted via a project's public DSN, can trick an AI coding agent reading them over MCP into treating attacker-controlled content as trusted resolution steps — achieving code execution on the developer's machine with an 85% success rate in testing. The significance for DevSecOps teams wiring agents into error-monitoring, issue-tracking, and log feeds: those data sources are now injection surfaces. External data flowing into an agent's context must be treated as untrusted input regardless of the source system's reputation. The MCP trust boundary problem the CSA documents here is unresolved in tooling; defensive posture today requires explicit review of what data sources each agent can read and what actions it can take in response.
11
Malicious JetBrains Marketplace plugins steal AI API keys from developers
BleepingComputer reports a cluster of malicious plugins published to the JetBrains Marketplace that harvested AI API keys — Anthropic, OpenAI, and Cohere credentials — from developer environments. The plugins passed basic review, were installed by developers seeking AI-assisted coding features, and exfiltrated stored API keys to attacker infrastructure in the background. The IDE extension supply chain is the newer and less-scrutinized relative of the npm/PyPI attack surface: developers install plugins with the same trust they extend to packages, and plugin marketplaces lack the same automated malware-scanning maturity the major language registries have built up over the past two years. Worth reviewing which JetBrains plugins are deployed in your developer fleet and whether any recently-added AI-tooling plugins match the IOCs in BleepingComputer's writeup.
12
Developer machines and the supply-chain security risk
This GitGuardian-sponsored analysis makes explicit the architecture problem underlying the week's attacks: developer workstations routinely hold live registry credentials, cloud API keys, SSH keys, and .env files that are outside the enterprise security perimeter, rarely covered by the same endpoint detection tooling applied to production servers, and directly in the blast radius of any malicious install-time or IDE-level payload. The piece walks through how the gap between enterprise security investment in CI/CD infrastructure and the actual security posture of developer endpoints creates a structural attack surface that supply-chain actors now deliberately target. Practical recommendations center on short-lived credential issuance, endpoint detection coverage parity with production, and limiting what secrets live on developer machines at rest.
13
400+ AUR packages hijacked: what the “Atomic Arch” campaign means for supply-chain security
StepSecurity's analysis of the Atomic Arch campaign — in which more than 400 orphaned Arch User Repository packages were silently adopted and weaponized to drop a Rust credential stealer on build and developer hosts — draws the lesson that matters most for platform teams: ownership-hijacking of abandoned packages is harder to detect than typosquatting because no new names are registered and no alerting triggers. The payload targets SSH keys, GitHub and npm tokens, Vault credentials, and Docker creds — exactly the secrets that live on developer machines running builds. StepSecurity frames the countermeasures around CI-runner hardening and network-level egress control on build hosts, rather than scanning the package name. If your developers build AUR packages on machines that also hold cloud tokens, this campaign is a direct threat to your supply chain trust model.
14
Two-thirds of open-source community unaware of the Cyber Resilience Act
An OpenSSF survey found that two-thirds of open-source maintainers and contributors are unaware of the EU Cyber Resilience Act, which will impose security and vulnerability-disclosure requirements on products with a digital element — including commercial software that ships with open-source components. The finding is operationally significant for DevSecOps teams in organizations selling into Europe: the CRA's SBOM, vulnerability reporting, and security-update obligations flow upstream to the open-source components in your stack, including maintainers who may not know requirements exist. The compliance gap is not just a legal risk but a supply-chain risk — a component whose maintainer is unaware of CRA obligations is unlikely to have the vulnerability disclosure and patching discipline the regulation expects.
15
Kubernetes in the Age of AI
O'Reilly's analysis of how AI workloads are reshaping Kubernetes security and operations is a timely read for DevSecOps teams watching agentic CI/CD tooling arrive in clusters that were designed around stateless web services. The piece covers the security posture implications of running persistent AI inference workloads, the model-serving attack surface that differs from traditional web-application threats, the resource and network policy challenges of GPU node pools, and the governance gap that emerges when AI agent frameworks land in Kubernetes before platform teams have defined the trust boundaries for what those agents can reach and execute. Foundational context for teams planning cluster security policy for AI-era workloads rather than retrofitting it after the first incident.
On our watch list
- Transitive-dependency hijacking as a stealthy supply-chain vector. The Mastra/easy-day-js campaign demonstrates that compromising a single transitive dependency propagates malicious payloads to hundreds of downstream packages without triggering name-similarity or typosquatting detection. Watching whether npm, PyPI, and other registries build ownership-change monitoring and transitive-dependency integrity verification into their automated scanning pipelines.
- AI coding agents as injection sinks inside the SDLC. Agentjacking, the Mastra targeting of developer machines running AI tooling, and the AI-tool-triggered worm variants all point the same direction: external data flowing into an agent's MCP context is now an injection surface. Watching for emerging tooling and standards that treat agent data-source feeds as untrusted input requiring sandboxing, prompt-injection mitigations, and action-confirmation guardrails.
- IDE extension supply chains as the next registry-grade attack surface. The JetBrains AI-key-stealing plugins signal that attackers are treating plugin marketplaces with the same seriousness they apply to npm and PyPI. Watching whether JetBrains, VS Code, and other IDE marketplaces accelerate their automated malware-scanning maturity to match what the language registries have built since 2023.
- CRA compliance gap in the open-source component supply chain. With two-thirds of open-source maintainers unaware of EU Cyber Resilience Act obligations, organizations selling into Europe face an upstream compliance risk embedded in components they ship. Watching for tooling that helps map CRA exposure across SBOM-declared dependencies and surfaces maintainer compliance posture alongside vulnerability data.