Over 140 Mastra npm packages were compromised in a supply chain attack using a former contributor's hijacked credentials to distribute an info-stealing payload.
On June 17, 2026, over 140 npm packages under the `@mastra` scope (including the core framework `@mastra/core`) were compromised in a supply chain attack. The attacker hijacked a dormant npm account of a former Mastra contributor ('ehindero') that still retained scope access. Using these credentials, the attacker published malicious package versions that introduced `easy-day-js`—a typosquatted dependency masquerading as the popular `dayjs` date utility. When installed, `easy-day-js` acts as a dropper, disabling TLS validation and fetching a second-stage info-stealer payload designed to harvest browser history, credentials, and cryptocurrency wallet extensions before attempting to delete itself to hide its tracks.
This incident highlights the lingering risks of identity-based supply chain vulnerabilities and the severe consequences of failing to revoke access for inactive contributors.
* Access Control Failure: The compromise succeeded due to poor lifecycle management of developer permissions. Retaining write access for former contributors is an open invitation for credential hijacking.
* Indirect Poisoning / Stealth Tactics: By introducing the malicious payload via a typosquatted dependency (`easy-day-js`) rather than direct code changes in the main packages, the attacker targeted security tools that only inspect primary package code.
* Transient Dropper Design: The malicious dependency's behavior of fetching a second-stage payload and then attempting self-deletion shows increasing sophistication in npm malware seeking to evade static analysis and registry audits.
DISCOVERED
51m ago
2026-06-17
PUBLISHED
1h ago
2026-06-17
RELEVANCE
AUTHOR
AikidoSecurity