SECURITYINTEL DAILY BRIEF ■ ThreatIntel BriefSunday, June 21, 2026 INTEL CONFIDENCE 64% | THREAT LEVEL CRITICAL |
|
THREAT OF THE DAY Sapphire Sleet Compromises Mastra AI Supply Chain | CRITICAL |
|
5 C2 IPs | 0 OTX IOCs | 4 ARTICLES |
|
■ ANALYST TLDR Today's threat landscape is highlighted by a sophisticated supply chain attack attributed to the North Korean state-sponsored group Sapphire Sleet, which compromised over 140 npm packages associated with Mastra AI. Additionally, active exploitation of CVE-2026-4020 in the Gravity SMTP WordPress plugin is allowing threat actors to expose and harvest sensitive API keys. On the malware front, a novel ransomware strain named Prinz Eugen has emerged, featuring an unusual encryption routine that prioritizes recently modified files while omitting a traditional ransom note. |
|
■ CRITICAL STORIES Microsoft links Mastra AI supply chain attack to North Korean hackers North Korean state-sponsored threat group Sapphire Sleet (BlueNoroff) compromised over 140 npm packages linked to Mastra AI, demonstrating a highly targeted and dangerous software supply chain operation. |
Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys Threat actors are actively exploiting CVE-2026-4020, a medium-severity vulnerability in the Gravity SMTP WordPress plugin, to extract sensitive API keys and compromise connected mail services. |
New Prinz Eugen ransomware prioritizes recent files for encryption A new ransomware variant named Prinz Eugen has been identified targeting recently modified files for encryption and failing to leave a ransom note, indicating potential wiper-like behavior or custom operational logic. |
|
■ CVEs IDENTIFIED CVE-2026-4020 Gravity Forms - Gravity SMTP — Information disclosure exposing sensitive API keys |
[CVE-TBD] Mastra AI - npm packages — Supply chain compromise leading to malicious code execution |
[CVE-TBD] Prinz Eugen - Ransomware — Unauthorized file encryption and potential data loss |
|
■ THREAT ACTORS Sapphire Sleet (BlueNoroff) | State-sponsored (North Korea) |
Conducted a supply chain attack compromising over 140 npm packages associated with Mastra AI. |
Prinz Eugen Operators | Cybercrime |
Deploying a new ransomware variant that prioritizes recent files and omits ransom notes. |
|
|
|
■ ATT&CK TTPs | T1195.002 | | Supply Chain Compromise: Compromise Software Dependencies and Development Tools | Sapphire Sleet compromised over 140 npm packages associated with Mastra AI. |
| T1190 | | Exploit Public-Facing Application | Threat actors are actively exploiting CVE-2026-4020 in the Gravity SMTP WordPress plugin. |
| T1552 | | Unsecured Credentials | Exploitation of CVE-2026-4020 allows attackers to extract sensitive API keys. |
| T1486 | | Data Encrypted for Impact | Prinz Eugen ransomware encrypts files on victim systems, prioritizing recently modified data. |
|
■ PATCH PRIORITY Mastra AI npm packages — Supply chain compromise of over 140 packages by North Korean state actors (Sapphire Sleet) — BC |
Gravity Forms Gravity SMTP — Active exploitation of CVE-2026-4020 allows exposure of sensitive API keys — THN |
|
|
|
■ RECOMMENDED ACTIONS TODAY | 1 | [P1] Audit all Node.js development environments and production environments for dependencies on Mastra AI npm packages, and immediately remove or roll back any compromised packages identified in the Sapphire Sleet supply chain attack. |
| 2 | [P1] Update the Gravity SMTP WordPress plugin to the latest patched version immediately to mitigate CVE-2026-4020 and prevent the exposure of API keys. |
| 3 | [P2] Rotate all API keys and credentials managed by or stored within the Gravity SMTP plugin if CVE-2026-4020 exploitation is suspected. |
| 4 | [P2] Implement real-time file integrity monitoring (FIM) and behavior-based endpoint detection to identify rapid encryption patterns associated with Prinz Eugen ransomware. |
|
|
|
C2 IP BLOCKLIST · AbuseCH Feodo · Showing 5 of 5 IP ADDRESS 162.243.103.246 | PORT 8080 | STATUS OFFLINE | MALWARE Emotet | COUNTRY US |
IP ADDRESS 50.16.16.211 | PORT 443 | STATUS ONLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 34.204.119.63 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 178.62.3.223 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY GB |
IP ADDRESS 27.133.154.218 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY JP |
|
FULL IOC EXPORT — GOOGLE SHEET All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs
Updated daily · Export as CSV to import directly into your tools ■ Open Full IOC Sheet → |
|
IOC SOURCES: AbuseCH Feodo · AlienVault OTX
NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB |