In a significant software supply chain attack, 144 npm packages under the Mastra namespace (@mastra/*) have been compromised. Mastra is a widely used open-source framework for developing artificial intelligence applications. The breach, identified as ‘easy-day-js,’ was uncovered by multiple cybersecurity firms.
The attack involved the mass publication of over 140 malicious packages by a single npm account, ‘ehindero,’ within a short timeframe on June 17, 2026. Notably, the compromised packages themselves did not contain harmful code. Instead, the threat was introduced through a third-party library named ‘easy-day-js,’ which was added as a dependency to each package during an automated publishing campaign lasting 88 minutes.
Further analysis revealed that ‘easy-day-js’ is a clone of the legitimate ‘dayjs’ date library. Initially published as a clean version on June 16, 2026, the library was altered the following day to include a cryptocurrency-stealing remote access trojan. This malicious code executes during the post-installation process, acting as a loader for a second-stage payload retrieved from attacker-controlled infrastructure. The final payload is a cross-platform information stealer capable of harvesting browser history, data from over 160 cryptocurrency wallet browser extensions, and establishing persistence across Windows, macOS, and Linux systems. The stolen information is then exfiltrated to a command-and-control server.
The attackers reportedly hijacked the ‘ehindero’ account, a legitimate former Mastra contributor whose access had not been revoked. In response, npm has removed the malicious versions from the most prominent packages and reverted their latest tags. Security experts recommend that any environment that installed the affected versions should be considered potentially compromised. Users are advised to revert to safe versions, rotate credentials, and conduct thorough audits for any artifacts related to the attack.
This incident underscores the critical importance of stringent access controls and regular audits in open-source projects. The Mastra framework’s intersection with AI development and cloud infrastructure makes it a high-value target, highlighting the need for enhanced security measures to protect against such sophisticated supply chain attacks.
