IOC Radar
TLP:WHITE15 IOCs

From package to postinstall payload: Inside the Mastra npm supply chain compromise by Sapphire Sleet

MT
Microsoft Threat Intelligence
Published June 18, 2026Original Report

Threat Actors

Malware Families

Diamond Model

SOCIAL AXISTECHNOLOGY AXISADVERSARYAPT38UNC1069INFRASTRUCTURE23.254.164.9223.254.164.123https://teams.onwebli…CAPABILITYCobalt StrikePsExecVICTIMunknown
Adversary(2)
Infrastructure(5)
Capability(2)
Victim

5W+H Threat Analysis

Analysis unavailable

Indicators of Compromise

Indicators of Compromise15

TypeIndicatorConfidenceScoreFirst Seen
SHA256ae70dd4f6bc0d1c8c2848e4e6b51934626c4818dcb5af99d080ddbd7dc337185
account-takeoverbrute forcecredential stuffing
Medium
38
Jun 19, 26
SHA2564a8860240e4231c3a74c81949be655a28e096a7d72f38fbe84e5b37636b98417
file-hashindicatorintel-blog
Medium
45
Jun 18, 26
Email[email protected]
emailintel-blogmalware
High
58
Jun 20, 26
SHA25650eae63d3e24be9ca8803f4b5a0408aef97ee3fab7af018d8c2dde7c359edd65
file-hashintel-blogloader
Medium
53
Jun 20, 26
IP23.254.164.92
aptespionageindicator
High
74
May 20, 26
MD509442294c21d601512eb3587c3076172
file-hashintel-blogmalware
Medium
53
Jun 20, 26
Email[email protected]
emailintel-blogmalware
High
58
Jun 20, 26
SHA256b122a9873bedf145ae2a7fd024b5f309007dbb025149f4dc4ac3f7e4f32a36a4
cross-platform stealercryptocurrencycryptocurrency theft
Medium
46
Jun 18, 26
IP23.254.164.123
aptbotnetespionage
Medium
64
Jun 17, 26
URLhttps://teams.onweblive.org/api/update/8555575039/4
intel-blogmalwarenetwork
High
58
Jun 20, 26
SHA2561d1bf5e8c1539d2f05b1429235b8f4990f87036774be95157b315a7803dd5526
file-hashintel-blogloader
Medium
53
Jun 20, 26
URLhttps://23.254.164.92:8000/update/49890878
aptespionageintel-blog
Medium
49
Jun 17, 26
SHA256b73de25c053c3225a077738a1fcbd9ca6966d7b3cd6f5494a30f0aa0eae55c7e
file-hashindicatorintel-blog
Medium
45
Jun 18, 26
SHA256221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badf
cross-platform stealercryptocurrencycryptocurrency theft
Medium
46
Jun 18, 26
URLhttps://maskasd.com/8555575039
c2intel-blogmalware
High
58
Jun 20, 26

IOC Relationship Graph

IOC Relationship Graph15 total IOCs
SHA256EmailIPMD5URL
SHA2567URL3Email2IP2MD51Actors2Malware2REPORTFrom package to postinstalAPT38UNC1069Cobalt StrikePsExec
scroll to zoom · drag to pan · click IOC to open