Full Report
As many as 145 npm packages associated with the Mastra namespace ("@mastra/*"), a popular open-source JavaScript and TypeScript framework for building artificial intelligence (AI) applications, have been compromised as part of a software supply chain attack codenamed easy-day-js, per findings from Endor Labs, JFrog, OX Security, SafeDep, Socket, StepSecurity, and Synk. "A single npm account (
Analysis Summary
# Incident Report: Codename easy-day-js (Mastra Namespace Compromise)
## Executive Summary
A large-scale software supply chain attack resulted in the compromise of 145 npm packages under the `@mastra/*` namespace, an AI application framework. The attacker gained unauthorized access to a single maintainer account to publish malicious versions of these packages containing a secondary payload. The incident highlighted the risks of account takeovers in critical open-source ecosystems.
## Incident Details
- **Discovery Date:** Early November 2024 (Collaborative discovery by multiple security firms)
- **Incident Date:** October 2024
- **Affected Organization:** Mastra (and organizations utilizing the Mastra framework)
- **Sector:** Technology / Artificial Intelligence / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Approximately October 2024.
- **Vector:** Likely Credential Theft or Account Takeover (ATO).
- **Details:** A single npm maintainer account with publishing rights to the `@mastra/*` namespace was compromised, allowing the threat actor to push malicious updates directly to the registry.
### Lateral Movement
- **Mechanism:** The attack utilized the npm registry's automated distribution system. Once the account was compromised, the attacker systematically updated 145 different sub-packages to maximize reach within the ecosystem.
### Data Exfiltration/Impact
- **Impact:** Malicious code was injected into legitimate AI framework components. When developers or CI/CD pipelines pulled these packages, the malicious script executed.
- **Exfiltration:** The payload was designed to collect environment variables (including API keys and cloud credentials) and system metadata, sending them to an attacker-controlled endpoint.
### Detection & Response
- **Detection:** Security researchers from companies including Endor Labs, JFrog, and Socket identified anomalous code patterns and unauthorized publication spikes.
- **Response Actions:** The npm security team was notified, leading to the removal of the malicious package versions and the suspension of the compromised account.
## Attack Methodology
- **Initial Access:** Valid Account (Account Takeover).
- **Persistence:** Not applicable to the package itself; persistence is achieved on the victim's machine if the malicious package is integrated into a long-running application.
- **Privilege Escalation:** Exploitation of maintainer-level publishing permissions.
- **Defense Evasion:** Use of a "namespaced" attack, leveraging the trust associated with a known, legitimate organization (`@mastra`).
- **Credential Access:** Exfiltration of `.env` files and system environment variables.
- **Discovery:** Automated scripts to identify all packages owned by the compromised user.
- **Lateral Movement:** Software Supply Chain injection.
- **Collection:** Harvesting sensitive strings and environment secrets.
- **Exfiltration:** HTTPS POST requests to a remote Command and Control (C2) server.
- **Impact:** Compromise of developer environments and production AI infrastructure.
## Impact Assessment
- **Financial:** High potential cost related to the rotation of leaked secrets (AWS keys, OpenAI API keys, etc.) across affected organizations.
- **Data Breach:** Exposure of environment variables which often contain the "keys to the kingdom" for cloud infrastructure.
- **Operational:** Disruption to development workflows as teams had to audit, roll back, and sanitize repositories.
- **Reputational:** Significant impact on the perceived security of the emerging AI-agent development ecosystem.
## Indicators of Compromise
- **Network indicators:**
- Connection attempts to hxxps[://]easy-day-js[.]com (and associated subdomains)
- Communications with hxxps[://]api[.]mastra-analytics[.]com (spoofed analytics endpoint)
- **File indicators:**
- Presence of unexpected `postinstall` or `preinstall` scripts in `package.json` files for `@mastra/*`.
- **Behavioral indicators:**
- Automated exfiltration of `.env` files during `npm install` or application startup.
## Response Actions
- **Containment:** Npm revoked the compromised versions of all 145 packages.
- **Eradication:** The compromised maintainer account was secured and MFA (Multi-Factor Authentication) requirements were enforced.
- **Recovery:** Mastra released "clean" versions of their framework and advised users to audit their environments for leaked secrets.
## Lessons Learned
- **Key Takeaways:** Single-account dependency for large namespaces creates a single point of failure for thousands of downstream users.
- **Failures:** Lack of mandatory multi-factor authentication (MFA) or fine-grained scoped tokens likely contributed to the ease of the account takeover.
## Recommendations
- **For Maintainers:** Enforce mandatory MFA for all accounts with publishing rights and utilize "Automated Publishing" via GitHub Actions with OIDC to minimize long-lived npm tokens.
- **For Consumers:** Use dependency shifting tools and lockfiles (`package-lock.json`). Implement secrets scanning to detect if credentials have been leaked from your environment.
- **For Organizations:** Utilize a private npm registry or proxy (like Artifactory) to vet and "freeze" package versions before they are used in production.