Over 140 npm packages within the **Mastra** namespace, a leading open-source framework for AI applications, have been compromised in a software supply chain attack. The campaign, identified as **easy-day-js**, was first reported by security firms including **Endor Labs**, **JFrog**, **SafeDep**, **Socket**, and **StepSecurity**. ### Automated Publishing Campaign According to **Socket**, a single npm account, `ehindero`, was used to mass-publish malicious versions across the **Mastra** scope on June 17, 2026, within an 88-minute window. These packages did not contain malicious code directly but introduced it through a new dependency: `easy-day-js`. ### The Malicious Dependency: easy-day-js **SafeDep**'s analysis revealed that `easy-day-js` is a clone of the legitimate `dayjs` date library. Initially published as a clean version by npm user `sergey2016` on June 16, 2026, the malicious changes were introduced just hours later, on June 17, 2026. **StepSecurity** highlighted the gravity of the target: "Because Mastra sits at the intersection of AI development and cloud infrastructure, its packages are routinely installed in environments that hold some of the most sensitive credentials in modern software development." This makes the **Mastra** ecosystem a highly attractive target for attackers. ### Multi-Stage Payload Execution The `easy-day-js` package executes an obfuscated payload via a `postinstall` hook. This first-stage dropper retrieves a second-stage payload from attacker-controlled infrastructure (`23.254.164[.]92`), notably after disabling TLS certificate validation. The payload then runs as a detached background process and attempts to self-delete to hinder forensic analysis. ### Cross-Platform Information Stealer The final payload is a sophisticated, cross-platform information stealer. It can harvest browser history, compromise data from over 160 cryptocurrency wallet browser extensions, establish persistence across Windows, macOS, and Linux systems, and exfiltrate stolen information to a command-and-control (C2) server (`23.254.164[.]123`). The malware can also receive and execute additional modules from the C2 server. **JFrog** noted the malware's stealth: "The malware combined familiar supply chain techniques with practical stealth: a clean decoy version, an obfuscated postinstall loader, runtime payload download, detached execution, self-deletion, Node-themed persistence, and a remote module system." They also warned that even if the initial package is removed, the persistent second-stage process may continue running. ### Account Compromise and Mitigation The attackers reportedly hijacked the `ehindero` account, a former legitimate **Mastra** contributor whose access was not revoked. **Npm** has since removed the malicious versions of the affected packages and reverted their latest tags.  **SafeDep**'s analysis revealed that while **Mastra** typically uses **npm**'s trusted publisher flow with **SLSA** provenance attestations for its official releases, the attacker pushed the malicious versions using a personal token, bypassing these attestations. Had **Mastra** enforced a policy requiring attestations (e.g., via `npm audit signatures`), these malicious packages would have been rejected. ### Recommendations for IT Security Professionals Any workstation, CI runner, or build environment that installed the compromised versions should be considered potentially compromised. It is strongly advised to: * Roll back to a known safe version of the affected packages. * Rotate any credentials that may have been exposed. * Conduct a thorough audit of the hosts for any artifacts linked to the campaign. **Socket** emphasized the potential blast radius, noting that `@mastra/core`, one of the affected packages, receives over 918K weekly downloads. Given that the payload executes during installation, systems can be exposed even before developers actively use or import the package.