north korea's sapphire sleet group compromised 144 npm packages targeting the mastra ai framework in an 88-minute window, potentially exposing cloud credentials, llm api keys, and cryptocurrency wallets to any developer who ran npm install during that period. microsoft attributed the operation with high confidence. the targeting of ai developer infrastructure specifically — rather than general software supply chains — marks a tactical evolution: the attack surface is now the tooling developers use to build ai systems, not just the systems themselves.