microsoft attributed a supply chain attack on mastra — an open-source typescript framework used to build ai agents — to sapphire sleet, a north korean state-sponsored group. during a 45-minute window on june 17, the attackers published malicious versions of over 140 npm packages. this is the first confirmed nation-state operation specifically targeting ai agent infrastructure at the package level, meaning the attack surface for autonomous ai systems is now being actively probed by state actors.