Mastra Supply Chain Attack Backdoors 144 AI Framework npm Packages

A supply chain attack discovered June 17, 2026 compromised 144 packages across the @mastra npm scope, injecting a dependency that installs a cryptocurrency-stealing remote access trojan. Mastra is an open-source JavaScript and TypeScript framework for building AI applications, with combined weekly downloads exceeding 1.1 million. The attack exploited a contributor account with stale publishing access to the package scope, executing an 88-minute automated republishing campaign in the early hours of June 17.

The Attack Chain

The intrusion relied on two elements: a dormant contributor account and a carefully staged typosquatted package.

The attacker obtained access to an npm contributor account called “ehindero,” which had publishing rights to the @mastra namespace but had been inactive. On June 16 at 7:05 AM UTC, they published easy-day-js to the npm registry — a functionally complete copy of the popular dayjs date library, clean and operational. The package sat unremarkably in the registry for roughly 18 hours.

At 1:01 AM UTC on June 17, the attacker pushed an update to easy-day-js that replaced the dayjs source with a malicious payload that downloads and executes a cross-platform RAT.

Then, between 1:12 AM and 2:39 AM UTC, the hijacked ehindero account ran an automated script that republished 144 packages in the @mastra scope, each patched to add easy-day-js as a new dependency. Any developer who ran npm install after that window and received the updated packages would pull in the malicious dependency.

The highest-impact package is @mastra/core, the framework’s primary library, with approximately 918,000 weekly downloads.

Payload Capabilities

Researchers from Orca Security and Snyk characterise the RAT as a credential-harvesting implant with broad reach. Unlike the JetBrains Marketplace campaign disclosed the same week — which narrowly targeted AI API keys through plugin settings UI — the Mastra payload operates from within the build or runtime environment, giving it access to environment variables, filesystem secrets, and the developer’s shell context.

The payload’s primary targets include cryptocurrency wallet seed phrases and private keys, npm access tokens, GitHub tokens, cloud provider credentials, LLM API keys across major providers, and CI/CD secrets accessible from the pipeline environment.

Snyk and Orca have noted tradecraft similarities to Sapphire Sleet (also known as BlueNoroff), a North Korean APT group known for targeting developers and cryptocurrency infrastructure through supply chain operations. Attribution remains unconfirmed.

What Happened After Discovery

The attack was identified by researchers monitoring npm for anomalous publishing activity. npm removed the compromised package versions and revoked the hijacked contributor account. The Mastra maintainers have published clean replacement versions across the affected scope and issued a security advisory.

The compromised packages are no longer available, but any installation that ran during the attack window may have received the backdoored versions. Package-lock.json files generated during this period will contain easy-day-js as a transitive dependency — this is the primary indicator of exposure.

Immediate Response Checklist

For developers and teams using Mastra:

Check for exposure: Inspect package-lock.json files generated on June 17 between approximately 01:00–05:00 UTC for easy-day-js in the dependency tree. Any lockfile from this window containing that package should be treated as a compromised install.

Rotate credentials broadly: The RAT has access to anything visible from the build environment. Rotate npm tokens, GitHub tokens, cloud provider credentials, LLM API keys (OpenAI, Anthropic, DeepSeek, and any others configured in the environment), CI/CD secrets, and SSH keys. This is not a narrow API key exposure — treat the entire credential surface as potentially compromised.

Cryptocurrency wallets: If any machine or pipeline that ran the compromised install has access to cryptocurrency wallets, move funds immediately to a new wallet generated on a clean device.

Rebuild from clean state: For CI/CD pipelines that may have executed compromised installs, rebuild from clean base images and regenerate all secrets before resuming production deployments.

Update to clean package versions: Pin to the post-incident Mastra package versions now listed in the security advisory. Run npm audit and verify easy-day-js does not appear in your dependency tree.

The Pattern This Fits

This attack is the second significant developer tooling supply chain incident in a single week — following the disclosure of 15 malicious JetBrains Marketplace plugins targeting AI API keys. Both campaigns target developers building AI applications, exploiting the trust developers extend to registered packages and marketplace-listed plugins.

The Mastra attack is the more severe of the two. The JetBrains campaign captured credentials entered into a UI field. The Mastra campaign deployed a full RAT from within the development environment, with access to the complete credential surface of whatever machine or pipeline executed the install.

The persistence of stale contributor access on high-download npm scopes is a recurring vulnerability pattern. Organisations managing popular npm packages should audit contributor lists and revoke access for accounts that have not published within a defined window.

References

• The Hacker News — 144 Mastra npm Packages Compromised via Hijacked Contributor Account
• Orca Security — 144 Mastra npm Packages Compromised via Supply Chain Attack
• SC Media — Mastra npm packages compromised in ‘easy-day-js’ supply chain attack
• Cloudsmith — Inside the Mastra npm supply chain attack
• phoenix.security — EASY_DAY_JS_MASTRA_2026: Typosquatted Dependency Delivers Cross-Platform RAT