Ethical Hacking News
The recent compromise of 145 npm packages associated with the Mastra namespace has left organizations vulnerable to cryptocurrency-stealing malware. The attack highlights the need for better security practices, including regular vulnerability assessments and monitoring of dependencies. This article will explore the impact of the Mastra npm Package compromise in depth and examine what steps can be taken to prevent similar attacks in the future.
The Mastra namespace was compromised in a devastating software supply chain attack, with 145 npm packages affected. A single npm account (ehindero) mass-published over 140 malicious packages across the Mastra scope within a short window on June 17, 2026. The compromised packages relied on a third-party library named \"easy-day-js\" that introduced malicious changes. The malware stole cryptocurrency, launched an obfuscated payload, and executed a cross-platform information stealer. Npm has since pulled the malicious versions from the highest-profile packages and reverted their latest tag. Experts warn of the need for developers to stay vigilant and monitor their dependencies closely to prevent similar attacks.
The news is out, and it's a wake-up call for organizations that rely on open-source software frameworks like Mastra. In recent days, 145 npm packages associated with the Mastra namespace ("@mastra/*") have been compromised in a devastating software supply chain attack. The attackers, who seem to have exploited a legitimate contributor account, have left a trail of malicious code and cryptocurrency-stealing malware in their wake.
The compromise is attributed to a campaign codenamed "easy-day-js," which was uncovered by a collaboration between Endor Labs, JFrog, OX Security, SafeDep, Socket, StepSecurity, and Synk. According to Socket, a single npm account (ehindero) mass-published more than 140 malicious packages across the Mastra scope within a short window on June 17, 2026.
The infected packages themselves do not contain any malicious code; instead, they rely on a third-party library named "easy-day-js" that has been added to each package's dependency list. This library, which was published by an npm user called "sergey2016" on June 16, 2026, at 7:05 a.m. UTC as a clean, fully functional copy, introduces malicious changes on June 17, 2026, at 1:01 a.m. UTC.
The "easy-day-js" library is described by SafeDep as a clone of the "dayjs" date library that downloads and runs a cryptocurrency-stealing remote access trojan (RAT). The malware launches an obfuscated payload that's fired during a postinstall hook, which acts as a dropper or loader for a second-stage payload retrieved from attacker-controlled infrastructure. This payload is then executed as a detached background process, following which the loader takes steps to erase itself to minimize the forensic trail.
The final stage of the malware is a cross-platform information stealer that can harvest browser history, store data from over 160 cryptocurrency wallet browser extensions, install persistence across Windows, macOS, and Linux, and exfiltrate the captured information to a command-and-control (C2) server. The malware is also capable of polling the C2 server to receive commands, including downloading a module from an attacker-supplied URL and executing it on Windows, Linux, and macOS systems.
The attackers behind the campaign are believed to have hijacked the "ehindero" account, a legitimate former Mastra contributor whose scope access was never revoked. npm has since pulled the malicious versions from the highest-profile packages and reverted their latest tag.
"It's essential for developers to stay vigilant and monitor their dependencies closely," warns StepSecurity. "Because Mastra sits at the intersection of AI development and cloud infrastructure, its packages are routinely installed in environments that hold some of the most sensitive credentials in modern software development."
The affected packages include @mastra/core, which receives more than 918K weekly npm downloads, giving this campaign a large potential blast radius. Any workstation, CI runner, or build environment that installed the affected versions should be treated as potentially compromised.
"It's not just about patching individual vulnerabilities," says JFrog. "It's about understanding how dependencies can interact and create new attack vectors. This campaign shows how a small dependency change can become an install-time compromise across a large package ecosystem."
The incident serves as a wake-up call for organizations that rely on open-source software frameworks like Mastra. The rise of cryptocurrency-stealing malware highlights the need for better security practices, including regular vulnerability assessments and monitoring of dependencies.
In this article we will explore the impact of the Mastra npm Package compromise in depth and examine what steps can be taken to prevent similar attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Devastating-Blow-to-Trust-The-Mastra-npm-Package-Compromise-and-the-Rise-of-Cryptocurrency-Stealing-Malware-ehn.shtml
https://thehackernews.com/2026/06/144-mastra-npm-packages-compromised-via.html
Published: Thu Jun 18 09:58:35 2026 by llama3.2 3B Q4_K_M
