145 Mastra npm Packages Compromised via Hijacked Contributor Account

As many as 145 npm packages associated with the Mastra namespace ("@mastra/*"), a popular open-source JavaScript and TypeScript framework for building artificial intelligence (AI) applications, have been compromised as part of a software supply chain attack codenamed easy-day-js, per findings from Endor Labs, JFrog, OX Security, SafeDep, Socket, StepSecurity, and Synk.

"A single npm account (ehindero) mass-published more than 140 malicious packages across the Mastra scope within a short window on 2026-06-17," Socket said.

The infected packages themselves do not include malicious code. Instead, it's introduced by means of a third-party library named "easy-day-js" that has been added to each package's dependency list in what has been described as an automated publishing campaign spanning 88 minutes.

In its analysis, SafeDep described "easy-day-js" as a clone of the "dayjs" date library that downloads and runs a cryptocurrency-stealing remote access trojan. The JavaScript library was published by an npm user called "sergey2016" on June 16, 2026, at 7:05 a.m. UTC as a clean, fully functional copy, with the malicious changes introduced on June 17, 2026, at 1:01 a.m. UTC.

"Because Mastra sits at the intersection of AI development and cloud infrastructure, its packages are routinely installed in environments that hold some of the most sensitive credentials in modern software development," StepSecurity said. "This makes the Mastra ecosystem an exceptionally high-value target for supply chain attackers."

The "easy-day-js" package launches an obfuscated payload that's fired during a postinstall hook, which acts as a dropper or loader for a second-stage payload retrieved from attacker-controlled infrastructure ("23.254.164[.]92") after disabling TLS certificate validation.

The payload is then executed as a detached background process, following which the loader takes steps to erase itself to minimize the forensic trail.

The final stage is a cross-platform information stealer that can harvest browser history, store data from over 160 cryptocurrency wallet browser extensions, install persistence across Windows, macOS, and Linux, and exfiltrate the captured information to a command-and-control (C2) server ("23.254.164[.]123").

The malware is also capable of polling the C2 server to receive commands, including downloading a module from an attacker-supplied URL and executing it on Windows, Linux, and macOS systems.

"The malware combined familiar supply chain techniques with practical stealth: a clean decoy version, an obfuscated postinstall loader, runtime payload download, detached execution, self-deletion, Node-themed persistence, and a remote module system," JFrog said. 

"Even if the first-stage package is removed after installation, the second-stage process may continue running and may have already installed persistence. This campaign shows how a small dependency change can become an install-time compromise across a large package ecosystem."

The attackers behind the campaign are said to have hijacked the "ehindero" account, a legitimate former Mastra contributor whose scope access was never revoked. Npm has since pulled the malicious versions from the highest-profile packages and reverted their latest tag.

Image Source: StepSecurity

"Mastra ships its real releases from CI through npm's trusted publisher flow, and each one carries SLSA provenance attestations," SafeDep said. "The attacker pushed the malicious versions from a personal token and dropped the provenance."

"The same fingerprint repeats across the whole scope. Mastra generated provenance on CI publishes but did not require it, so a standard npm token could still publish without attestations. A signature-verifying install (npm audit signatures, or a policy that requires attestations) would have rejected every package in this wave."

Any workstation, CI runner, or build environment that installed the affected versions should be treated as potentially compromised. It's advised to roll back to a safe version, rotate any credentials, and audit the hosts for any artifacts linked to the campaign.

"The affected packages include @mastra/core, which receives more than 918K weekly npm downloads, giving this campaign a large potential blast radius," Socket said. "Because the payload executes during installation, systems may be exposed before developers import or use the package."

Update

In an incident report published in the wake of the supply chain attack, Mastra confirmed a malicious postinstall script designed to exfiltrate credentials and then delete itself was added to "specific versions of our packages."

"The incident is over – we have unpublished the relevant package versions," the maintainers said. "The root cause is that one of our maintainers was compromised. We have always required MFA [multi-factor authentication] on npm for maintainers, but we also allowed (mistakenly) token bypass. Around the same time, we removed token bypass across all packages."

Mastra also disclosed that the compromised maintainer is a current Mastra employee whose machine was compromised via a social engineering attack. "A compromised LinkedIn account reached out to him as well as maintainers of other prominent TypeScript open source packages," Mastra said. "He was on a call and clicked a suspicious link."

Interestingly, a similar modus operandi was observed in connection with the axios supply chain attack back in April 2026, raising the possibility that it could be the work of North Korean threat actors. 

"The clean-then-armed dependency, the setup postinstall dropper, the TLS-bypass-to-raw-IP fetch, and the crypto-stealer payload closely mirror the Axios npm compromise [...], down to the install-time dropper that self-deletes," Synk noted in its analysis of the campaign.

(The story was updated after publication to include additional details of the incident from Mastra.)