144 Mastra npm Packages Compromised in 'easy-day-js' Supply Chain Attack

As many as 144 npm packages in the @mastra/* namespace, part of the popular Mastra AI framework for building JavaScript and TypeScript AI applications, were compromised in a supply chain attack dubbed easy-day-js. Researchers from JFrog, SafeDep, Socket, and StepSecurity identified the incident, which exploited a single contributor account (ehindero) whose scope access was never revoked after the contributor left the project. The attacker mass-published malicious versions of the packages within a short window on June 17, 2026, targeting developers who rely on Mastra for AI application development.

The infected packages themselves do not contain malicious code directly. Instead, the attack introduces a third-party library named "easy-day-js" as a dependency. This library, published by npm user "sergey2016" on June 16, 2026, initially appeared as a clean copy of the legitimate dayjs date library. The malicious changes were introduced on June 17, 2026, at 1:01 a.m. UTC, turning the library into a dropper for a second-stage payload.

During installation, the easy-day-js package executes an obfuscated payload via a postinstall hook. This payload acts as a loader, retrieving a second-stage payload from attacker-controlled infrastructure at IP address 23.254.164[.]92 after disabling TLS certificate validation. The loader then executes the payload as a detached background process and erases itself to minimize forensic evidence.

The final stage is a cross-platform information stealer capable of harvesting browser history, stealing data from over 160 cryptocurrency wallet browser extensions, and establishing persistence across Windows, macOS, and Linux. Captured information is exfiltrated to a command-and-control server at 23.254.164[.]123. SafeDep described the attack as a clone of the dayjs library that downloads and runs a cryptocurrency-stealing remote access trojan.

The attack exploited a critical oversight in Mastra's npm publishing workflow. While Mastra ships its real releases from CI through npm's trusted publisher flow with SLSA provenance attestations, the attacker pushed malicious versions using a personal token that lacked provenance. As SafeDep noted, "Mastra generated provenance on CI publishes but did not require it, so a standard npm token could still publish without attestations." A signature-verifying install (npm audit signatures or a policy requiring attestations) would have rejected every malicious package.

The affected packages include @mastra/core, which receives more than 918,000 weekly npm downloads, giving the campaign a large potential blast radius. Because the payload executes during installation, systems may be exposed before developers import or use the package. npm has since pulled the malicious versions from the highest-profile packages and reverted their latest tag.

Any workstation, CI runner, or build environment that installed the affected versions should be treated as potentially compromised. Users are advised to roll back to a safe version, rotate any credentials exposed during the incident, and audit hosts for artifacts linked to the campaign. The incident underscores the ongoing risk of supply chain attacks targeting the npm ecosystem, particularly through hijacked contributor accounts with lingering access permissions.

Microsoft and Socket jointly disclosed full technical details of the attack chain on June 17, revealing that the compromised @mastra/core package (over 918,000 weekly downloads) injected a typosquatted 'easy-day-js' dependency containing a multi-stage infostealer. The implant targets 166 cryptocurrency wallet extensions, browser history, and credentials, establishing persistence via Registry keys, LaunchAgents, and systemd units disguised as legitimate Node.js tooling. Developers are advised to treat any system that ran npm install on affected versions as fully compromised and to immediately rotate all credentials, including npm tokens, GitHub tokens, and CI/CD secrets.