Full Report
On 17 June 2026, attackers compromised a maintainer account associated with the Mastra npm organization and used it to republish 116 packages over a 27-minute period. Rather than modifying Mastra’s source code directly, the threat actor injected a malicious dependency, easy-da...
Analysis Summary
# Incident Report: Mastra Packages Trojanized via Malicious Dependency
## Executive Summary
On June 17, 2026, a maintainer account for the Mastra npm organization was compromised, leading to the injection of a malicious dependency into 116 packages. The attack leveraged a typosquatted package to deliver a cross-platform infostealer, potentially impacting hundreds of thousands of developers and CI/CD environments. The incident was mitigated through the removal of the malicious packages and revocation of compromised credentials.
## Incident Details
- **Discovery Date:** June 17, 2026
- **Incident Date:** June 17, 2026
- **Affected Organization:** Mastra (Open-source AI framework)
- **Sector:** Technology / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** June 17, 2026 (Active for a 27-minute period)
- **Vector:** Credential Compromise / Supply Chain
- **Details:** Attackers gained unauthorized access to a Mastra npm maintainer account.
### Lateral Movement
- **Details:** The threat actor used the hijacked maintainer credentials to republish 116 legitimate packages within the Mastra organization. Instead of direct source code modification, they added a malicious dependency: `easy-day-js`.
### Data Exfiltration/Impact
- **Details:** The primary impact was the distribution of a cross-platform infostealer. The malware targeted browser data and credentials from over 160 cryptocurrency wallet extensions across Windows, macOS, and Linux systems.
### Detection & Response
- **How it was discovered:** Security monitoring of the npm registry and community reports (e.g., StepSecurity).
- **Response actions taken:** The malicious `easy-day-js` package and the trojanized Mastra versions were removed from the npm registry. Affected maintainer credentials were secured.
## Attack Methodology
- **Initial Access:** Compromised npm maintainer account.
- **Persistence:** The malware established persistence on infected host operating systems (Windows, macOS, Linux).
- **Defense Evasion:** Use of obfuscated `postinstall` hooks; disabling TLS certificate validation; executing as a detached background process; self-deletion of the initial loader.
- **Credential Access:** Harvesting browser data and cryptocurrency wallet extensions.
- **Discovery:** Typosquatting (impersonating the legitimate `dayjs` library).
- **Impact:** Supply chain compromise affecting developer workstations and CI/CD pipelines.
## Impact Assessment
- **Financial:** High potential loss for users of compromised cryptocurrency wallets.
- **Data Breach:** Theft of browser-stored credentials and digital assets.
- **Operational:** Disruption to build environments and CI/CD pipelines; requirement for widespread system audits.
- **Reputational:** Significant impact on the Mastra organization’s perceived security posture.
## Indicators of Compromise
- **Network indicators:** Connections to attacker-controlled C2 infrastructure (IPs/domains should be audited via security vendor feeds).
- **File indicators:** Presence of the `easy-day-js` package in `package.json` or `node_modules`.
- **Behavioral indicators:** `npm install` processes spawning unexpected background network activity; disabled TLS warnings.
## Response Actions
- **Containment:** Rapid removal of the malicious packages from the npm registry to prevent further downloads.
- **Eradication:** Instructions provided to developers to audit `node_modules` and remove affected versions (e.g., `@mastra/core`).
- **Recovery:** Rotating all secrets, API keys, and credentials that may have been present in environments where the malicious packages were installed.
## Lessons Learned
- **Dependency Proximity:** Attackers are shifting from direct code injection to "dependency confusion" or injecting malicious sub-dependencies to bypass simple code reviews.
- **Maintainer Security:** The compromise of a single account can have a massive downstream effect, highlighting the need for mandatory Multi-Factor Authentication (MFA).
## Recommendations
- **Enforce MFA:** Ensure all npm organization maintainers have hardware-based or TOTP MFA enabled.
- **Dependency Pinning:** Use `package-lock.json` and audit changes to dependencies strictly during PR reviews.
- **Socket Security/Guardrails:** Implement tools that scan for "postinstall" scripts and suspicious network activity during the `npm install` phase.
- **Credential Hygiene:** Treat any environment where these packages were installed as compromised; rotate all environment variables and developer credentials immediately.