Answer Brief
A coordinated supply chain attack compromised 144 Mastra npm packages by hijacking a former contributor's account to inject a malicious dependency that steals cryptocurrency and establishes persistence, posing significant risks to AI development workflows and cloud infrastructure environments globally.
Signal Timeline
A quick visual path for analysts before reading the full brief.
- 1
Clean version of easy-day-js published by npm user sergey2016
- 2
Malicious changes introduced to easy-day-js
- 3
Attack discovered and reported by The Hacker News
- 4
Malicious packages mass-published via hijacked ehindero account in 88-minute window
Executive Summary: A coordinated supply chain attack compromised 144 Mastra npm packages by hijacking a former contributor's account to inject a malicious dependency that steals cryptocurrency and establishes persistence, posing significant risks to AI development workflows and cloud infrastructure environments globally.
Why It Matters
The compromise of 144 Mastra npm packages via the hijacked 'ehindero' account represents a sophisticated software supply chain attack that specifically targets the intersection of AI development and cloud infrastructure security. The attack's methodology—using a legitimate contributor account to mass-publish malicious dependency updates—exploits inherent trust in open-source maintainership and automated publishing workflows, bypassing conventional code review processes. Technical analysis from multiple security firms reveals a carefully staged infection chain: the easy-day-js package was first published as a clean replica of the popular dayjs library on June 16, 2026, establishing legitimacy before malicious functionality was added approximately 18 hours later. This temporal gap suggests deliberate preparation to avoid immediate detection while maximizing the window of opportunity for the subsequent automated publishing campaign. The attack's significance is amplified by Mastra's positioning as a framework for building AI applications. As noted by StepSecurity, Mastra packages are routinely installed in environments that hold some of the most sensitive credentials in modern software development, including access to cloud APIs, model training data, model weights, and deployment pipelines. This makes the ecosystem not merely a target for financial gain through cryptocurrency theft, but a potential vector for compromising AI workflows, stealing intellectual property, or gaining persistent access to systems involved in model development and serving. The widespread adoption of @mastra/core—with over 918K weekly npm downloads—further extends the potential impact across enterprise AI teams, research institutions, and individual developers working on AI-integrated applications. From a technical perspective, the malware employs multiple evasion and persistence techniques characteristic of advanced supply chain threats. The initial payload disables TLS certificate validation to fetch a second-stage executable from attacker-controlled infrastructure (23.254.164[.]92), which then runs as a detached background process. The loader subsequently deletes itself to minimize forensic artifacts, while the second-stage payload establishes cross-platform persistence, harvests data from over 160 cryptocurrency wallet browser extensions, and maintains communication with a C2 server (23.254.164[.]123) for command execution and module downloads. This multi-stage design ensures that even if the initial npm package is removed post-installation, the malicious process may continue operating and have already established footholds on affected systems. The incident also exposes critical limitations in npm's default security model. Although Mastra implements SLSA provenance attestations for its official CI publishes, these are not enforced by default during installation, allowing attackers to publish malicious versions using standard npm tokens without triggering rejection. As SafeDep observed, implementing policies that require signature verification or provenance attestation would have blocked the entire campaign. This highlights a broader need for organizations using AI development tools to implement dependency integrity checks that go beyond vulnerability scanning, particularly for packages used in privileged environments or those interacting with sensitive data and infrastructure. Operationally, this event underscores several actionable insights for security teams. First, the 88-minute window of mass publishing indicates a highly automated and pre-staged campaign, suggesting attackers had prepared the malicious packages in advance and waited for the optimal moment to execute. Teams should monitor for anomalous publishing patterns in dependencies, especially sudden bursts of updates from accounts with infrequent activity. Second, the hijacking of a former contributor's account emphasizes the importance of regular access reviews and timely revocation of permissions for inactive maintainers. Third, the use of a postinstall hook for initial execution means compromise occurs before any code is imported or used, rendering traditional runtime protections ineffective—shifting focus to pre-installation dependency validation and build environment hardening. Finally, given Mastra's role in AI development, organizations should assess whether their AI/ML pipelines, model repositories, or infrastructure-as-code tools depend on affected packages and implement enhanced monitoring for signs of credential theft or unauthorized access in those environments.
Event Type: security
Importance: high
Affected Companies
- Endor Labs
- JFrog
- Mastra
- SafeDep
- Socket
- StepSecurity
- npm
Affected Sectors
- AI infrastructure
- cybersecurity
- open source
- software development
Key Numbers
- Number of compromised Mastra npm packages: 144
- Weekly downloads of @mastra/core: 918K
- Duration of automated publishing campaign: 88 minutes
- Time between clean and malicious version of easy-day-js: 18 hours
Timeline
- Clean version of easy-day-js published by npm user sergey2016
- Malicious changes introduced to easy-day-js
- Attack discovered and reported by The Hacker News
- Malicious packages mass-published via hijacked ehindero account in 88-minute window
Frequently Asked Questions
What is the easy-day-js package and how was it used in the attack?
The easy-day-js package is a malicious clone of the legitimate dayjs library that was published as a clean version on June 16, 2026, then altered on June 17, 2026, to include a cryptocurrency-stealing trojan. It was injected as a dependency into 144 Mastra npm packages via automated publishing, executing during installation through a postinstall hook.
How did attackers compromise the Mastra npm packages?
Attackers hijacked the npm account 'ehindero', a legitimate former Mastra contributor whose access was not revoked, and used it to mass-publish malicious versions of over 140 packages in the @mastra/* scope within an 88-minute window on June 17, 2026.
What does the malware do once installed?
The malware acts as a dropper that disables TLS validation, downloads a second-stage payload from attacker-controlled infrastructure, executes it as a detached background process, installs persistence across Windows, macOS, and Linux, steals browser data and credentials from over 160 cryptocurrency wallet extensions, and exfiltrates data to a C2 server while allowing remote command execution.
Why are Mastra packages particularly high-value targets in supply chain attacks?
Mastra is a framework for building AI applications and is routinely installed in environments holding sensitive development credentials. Its packages are frequently used in CI/CD pipelines and cloud infrastructure, making them attractive targets for attackers seeking broad access to privileged systems.
What mitigation steps are recommended for affected systems?
Organizations should roll back to safe versions of affected Mastra packages, rotate all credentials used in environments where the packages were installed, audit systems for artifacts linked to the campaign, and enforce signature-verifying installs (e.g., npm audit signatures or policies requiring SLSA provenance) to prevent future compromise.