Ethical Hacking News
Threat Intelligence Firm Reveals 144 npm Packages Compromised via Hijacked Contributor Account, Highlighting Potential Vulnerability of Software Supply Chain Ecosystems.
The Mastra framework's popular open-source JavaScript and TypeScript packages were compromised in a software supply chain attack codenamed "easy-day-js". A legitimate contributor account was hijacked to mass-publish over 140 malicious packages across the Mastra scope. The affected packages included @mastra/core and relied on an obfuscated third-party library named "easy-day-js" for automation. The attack launched a postinstall hook that acted as a dropper, leading to the execution of a second-stage payload retrieved from attacker-controlled infrastructure. The final stage of the malware was a cross-platform information stealer that harvested browser history and exfiltrated data to a command-and-control server. The attack highlights the vulnerability of software supply chain ecosystems, particularly those relying on open-source dependencies. It is recommended to roll back affected versions, rotate credentials, and audit hosts for potential artifacts linked to the campaign.
The recent discovery of a hijacked contributor account and the compromise of 144 npm packages associated with the popular open-source JavaScript and TypeScript framework, Mastra, has sent shockwaves throughout the cybersecurity community. The affected packages, which include @mastra/core, have been linked to a software supply chain attack codenamed "easy-day-js," per findings from reputable security firms such as Endor Labs, JFrog, SafeDep, Socket, and StepSecurity.
According to detailed analysis by these firms, the attackers behind the campaign hijacked the legitimate contributor account "ehindero" which mass-published more than 140 malicious packages across the Mastra scope within a short window on June 17, 2026. The infected packages themselves did not include malicious code but instead were introduced by means of a third-party library named "easy-day-js" that has been added to each package's dependency list in what has been described as an automated publishing campaign spanning 88 minutes.
The "easy-day-js" package launches an obfuscated payload that's fired during a postinstall hook, which acts as a dropper or loader for a second-stage payload retrieved from attacker-controlled infrastructure ("23.254.164[.]92"). The payload is then executed as a detached background process, following which the loader takes steps to erase itself to minimize the forensic trail.
The final stage of the malware is a cross-platform information stealer that can harvest browser history, store data from over 160 cryptocurrency wallet browser extensions, install persistence across Windows, macOS, and Linux, and exfiltrate the captured information to a command-and-control (C2) server ("23.254.164[.]123").
This attack showcases the potential vulnerability of software supply chain ecosystems, particularly those that rely heavily on open-source dependencies. The fact that the attackers could compromise a legitimate contributor account and push malicious versions without being detected highlights the need for robust security measures to protect these systems.
As such, any workstation, CI runner, or build environment that installed the affected versions should be treated as potentially compromised. It is advised to roll back to a safe version, rotate any credentials, and audit the hosts for any artifacts linked to the campaign.
Furthermore, the "easy-day-js" package launches an obfuscated payload that's fired during a postinstall hook, which acts as a dropper or loader for a second-stage payload retrieved from attacker-controlled infrastructure. The final stage of the malware is a cross-platform information stealer that can harvest browser history, store data from over 160 cryptocurrency wallet browser extensions, install persistence across Windows, macOS, and Linux, and exfiltrate the captured information to a command-and-control (C2) server.
The attackers behind the campaign are said to have exploited a familiar supply chain technique combined with practical stealth. A clean decoy version was used as a publishing campaign spanning 88 minutes and an obfuscated postinstall loader has been introduced in the malicious packages. Runtime payload download, detached execution, self-deletion, Node-themed persistence, and a remote module system are also key characteristics of this attack.
The Mastra ecosystem is considered an exceptionally high-value target for supply chain attackers due to its intersection of AI development and cloud infrastructure, which often hold some of the most sensitive credentials in modern software development. This highlights the need for robust security measures to protect these systems from sophisticated attacks like the one described above.
In conclusion, this attack serves as a stark reminder of the risks associated with software supply chain attacks. The hijacking of a legitimate contributor account and the exploitation of a third-party library have resulted in a highly sophisticated attack that has left many organizations vulnerable to potential compromise.
Threat Intelligence Firm Reveals 144 npm Packages Compromised via Hijacked Contributor Account, Highlighting Potential Vulnerability of Software Supply Chain Ecosystems.
Related Information:
https://www.ethicalhackingnews.com/articles/Unveiling-the-Mastra-Malware-A-Sophisticated-Software-Supply-Chain-Attack-ehn.shtml
https://thehackernews.com/2026/06/144-mastra-npm-packages-compromised-via.html
Published: Wed Jun 17 22:52:22 2026 by llama3.2 3B Q4_K_M
