Skip to main content
Sign in
Mastra AI npm Supply Chain Attack (June 2026)1 decision on this page

Audit log

Every state-changing event for Mastra AI npm Supply Chain Attack (June 2026): moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-06-19 12:21:09Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 427,504,832
    sig
    2qURjXT2QKzE…dRanWz5gexplorer ↗
    hash
    GDUcSUD2NG6q…5Lt7U69jsha256 → base58
    verifying row…full verify ↗
    canonical bytes (24005 B) ▸
    {"actor":"system:backfill","investigation_id":"e46c6ad3-be50-48db-a6a5-50ede5b6a7ef","kind":"publish","page_slug":"mastra-ai-npm-supply-chain-attack-june-2026","published_at":"2026-06-19T12:21:09.096Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Mastra AI npm Supply Chain Attack (June 2026)","sections":[{"content":"The Mastra AI npm supply chain attack was discovered on June 17, 2026. Attackers exploited a stale, never-revoked npm contributor account ('ehindero') that had legitimate publishing rights to the entire @mastra package scope, acquired during early alpha development in late 2024 and early 2025. Using this account, the attacker executed an automated campaign between 01:12 and 02:39 UTC on June 17, republishing 140+ packages across the @mastra namespace — each injected with a single new dependency: 'easy-day-js', a typosquatted impersonator of the widely used 'dayjs' date utility library. The @mastra packages themselves were not modified; only a dependency line was added, making the change difficult to detect through routine code review. Because the injected dependency was pinned as '^1.11.21', npm's semantic versioning resolution automatically pulled the malicious 'easy-day-js@1.11.22' at fresh install time without requiring any changes to the downstream package.json files.","heading":"Attack Overview","severity":"critical","sources":[{"credibility":2,"name":"OX Security: easy-day-js Supply Chain Attack Hits Mastra AI in npm","type":"research","url":"https://www.ox.security/blog/easy-day-js-supply-chain-attack-hits-mastra-ai-in-npm/"},{"credibility":2,"name":"StepSecurity: Mastra npm Supply Chain Attack — 140+ Packages Backdoored","type":"research","url":"https://www.stepsecurity.io/blog/mastra-npm-packages-compromised-using-easy-day-js"},{"credibility":2,"name":"Snyk: A forgotten contributor account compromised the entire Mastra npm package scope","type":"research","url":"https://snyk.io/blog/a-forgotten-contributor-account-compromised-the-entire-mastra-npm-package-scope/"},{"credibility":2,"name":"The Hacker News: 145 Mastra npm Packages Compromised via Hijacked Contributor Account","type":"news_article","url":"https://thehackernews.com/2026/06/144-mastra-npm-packages-compromised-via.html"}]},{"content":"The root cause of the compromise was npm's lack of scope permission expiry on inactivity. The 'ehindero' account had legitimately published early alpha versions of @mastra/core in late 2024 and early 2025, then went dormant. Because npm does not expire scope publish permissions based on account inactivity, a single stale maintainer credential was sufficient to publish to every package in the @mastra scope. Evidence of the account compromise included an email address change to 'ehindero2016@tutamail.com', indicating the original contributor's credentials were stolen rather than the contributor acting maliciously. A current Mastra employee's machine is also alleged to have been compromised via social engineering: a compromised LinkedIn account contacted a maintainer with a suspicious link, exposing credentials used to access internal tooling. The malicious publisher account 'sergey2016' (sergey2016@tutamail.com) first published the clean decoy 'easy-day-js@1.11.21' on June 16 before introducing the weaponized version.","heading":"Initial Access: Stale Maintainer Credential","severity":"critical","sources":[{"credibility":2,"name":"Snyk: A forgotten contributor account compromised the entire Mastra npm package scope","type":"research","url":"https://snyk.io/blog/a-forgotten-contributor-account-compromised-the-entire-mastra-npm-package-scope/"},{"credibility":2,"name":"Endor Labs: Mastra npm Org Compromised — Multiple Packages Trojanized","type":"research","url":"https://www.endorlabs.com/learn/mastra-npm-org-compromised-multiple-packages-trojanized-to-drop-a-remote-payload-via-easy-day-js"},{"credibility":2,"name":"The Hacker News: 145 Mastra npm Packages Compromised via Hijacked Contributor Account","type":"news_article","url":"https://thehackernews.com/2026/06/144-mastra-npm-packages-compromised-via.html"}]},{"content":"The weaponized 'easy-day-js@1.11.22' contained an obfuscated postinstall dropper in 'setup.cjs' (4,572 bytes), executed via the hook 'postinstall: node setup.cjs --no-warnings'. The dropper employed three obfuscation layers: a custom-alphabet Base64 encoding scheme, array rotation requiring an exact 34-position shift for integrity validation, and XOR-encoded beacon markers. During execution, Stage 1 of the dropper disabled TLS certificate validation by setting NODE_TLS_REJECT_UNAUTHORIZED=0, wrote installation path beacons to '<tmpdir>/.pkg_history' and '~/.pkg_logs', fetched a second-stage payload from the command-and-control server at 'https://23.254.164.92:8000/update/49890878' (Hostwinds, ASN AS54290), spawned a detached background process communicating with a secondary C2 at '23.254.164.123:443', and then self-deleted using 'fs.rmSync(__filename)' to remove forensic evidence. The Stage 2 payload functioned as a cross-platform remote access trojan (RAT) capable of: harvesting browser history and stored credentials from Chrome, Brave, and Edge; inventorying and exfiltrating data from 166 cryptocurrency wallet browser extensions (including MetaMask, Phantom, Coinbase Wallet, and Binance); stealing LLM API keys, cloud provider credentials, CI/CD tokens, and database connection strings; and installing OS-level persistence mechanisms on Windows, macOS, and Linux. The easy-day-js package bundled a byte-identical copy of dayjs.min.js to pass superficial inspection.","heading":"Malicious Payload: Multi-Stage RAT","severity":"critical","sources":[{"credibility":2,"name":"StepSecurity: Mastra npm Supply Chain Attack — 140+ Packages Backdoored","type":"research","url":"https://www.stepsecurity.io/blog/mastra-npm-packages-compromised-using-easy-day-js"},{"credibility":2,"name":"Endor Labs: Mastra npm Org Compromised — Multiple Packages Trojanized","type":"research","url":"https://www.endorlabs.com/learn/mastra-npm-org-compromised-multiple-packages-trojanized-to-drop-a-remote-payload-via-easy-day-js"},{"credibility":1,"name":"Microsoft Security Blog: From package to postinstall payload — Inside the Mastra npm supply chain compromise","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/"},{"credibility":2,"name":"Phoenix Security: easy-day-js / EASY_DAY_JS_MASTRA_2026","type":"research","url":"https://phoenix.security/easy-day-js-mastra-npm-supply-chain-typosquat-rat-2026/"}]},{"content":"The attack affected a minimum of 140 packages (various researchers cite 141 to 145 depending on counting methodology) within the @mastra npm scope. @mastra/core alone recorded over 918,000 weekly downloads at the time of the attack; combined weekly downloads across all affected packages exceeded 1.1 million, with combined monthly downloads reported by some researchers at over 28 million. The most heavily downloaded packages affected included @mastra/schema-compat (5.3M monthly), @mastra/core (4M monthly), mastra (2.1M monthly), @mastra/memory (2M monthly), and @mastra/server (1.8M monthly). Any developer workstation, CI runner, or build environment that executed 'npm install' on any @mastra package after June 16, 2026 was potentially exposed. Mastra packages are routinely installed in environments holding LLM API keys, cloud provider credentials, CI/CD tokens, and database connection strings — making the breadth of credential exposure particularly severe for AI toolchain developers. All republished compromised versions lacked SLSA provenance attestations, a distinguishing indicator.","heading":"Scale and Exposure","severity":"critical","sources":[{"credibility":2,"name":"Orca Security: 144 Mastra npm Packages Compromised via Supply Chain Attack","type":"research","url":"https://orca.security/resources/blog/mastra-npm-supply-chain-attack/"},{"credibility":2,"name":"The Hacker News: 145 Mastra npm Packages Compromised via Hijacked Contributor Account","type":"news_article","url":"https://thehackernews.com/2026/06/144-mastra-npm-packages-compromised-via.html"},{"credibility":2,"name":"Endor Labs: Mastra npm Org Compromised — Multiple Packages Trojanized","type":"research","url":"https://www.endorlabs.com/learn/mastra-npm-org-compromised-multiple-packages-trojanized-to-drop-a-remote-payload-via-easy-day-js"}]},{"content":"The second-stage RAT payload explicitly targeted cryptocurrency wallet browser extensions, with researchers identifying 166 distinct extensions in the malware's enumeration list. Named targets confirmed by multiple security researchers include MetaMask, Phantom, Coinbase Wallet, and Binance wallet extensions. The payload harvested wallet extension data, stored credentials, and browser session information at installation time, before any user interaction. Mastra AI is widely used in AI agent and automation pipelines that interact with blockchain infrastructure, including DeFi protocols, wallet management systems, and on-chain tooling — amplifying the risk that compromised developer environments would yield access to operational crypto assets rather than solely developer-owned personal wallets.","heading":"Cryptocurrency Wallet Targeting","severity":"critical","sources":[{"credibility":2,"name":"Orca Security: 144 Mastra npm Packages Compromised via Supply Chain Attack","type":"research","url":"https://orca.security/resources/blog/mastra-npm-supply-chain-attack/"},{"credibility":2,"name":"Phoenix Security: easy-day-js / EASY_DAY_JS_MASTRA_2026","type":"research","url":"https://phoenix.security/easy-day-js-mastra-npm-supply-chain-typosquat-rat-2026/"},{"credibility":2,"name":"StepSecurity: Mastra npm Supply Chain Attack — 140+ Packages Backdoored","type":"research","url":"https://www.stepsecurity.io/blog/mastra-npm-packages-compromised-using-easy-day-js"}]},{"content":"Multiple security firms have noted tradecraft overlaps between this attack and prior campaigns attributed to Sapphire Sleet (also known as BlueNoroff), a North Korean advanced persistent threat group known for targeting developer supply chains to steal cryptocurrency. Snyk, Orca Security, and Microsoft Threat Intelligence have each noted that the attack pattern — including the clean-then-armed typosquat staging, the postinstall dropper using TLS disablement and detached spawning with self-deletion, and the focus on cryptocurrency wallet extension harvesting — closely mirrors the April 2026 Axios npm compromise that Microsoft formally attributed to Sapphire Sleet. However, Snyk explicitly stated: 'Attribution for this incident specifically is not confirmed, and we will not speculate further.' No government agency or law enforcement body had confirmed attribution as of the available reporting. The C2 infrastructure used Hostwinds (ASN AS54290), a US-based hosting provider. The malicious publisher accounts ('sergey2016', 'ehindero') used tutamail.com addresses, an encrypted email provider.","heading":"Threat Actor Attribution","severity":"high","sources":[{"credibility":2,"name":"Snyk: A forgotten contributor account compromised the entire Mastra npm package scope","type":"research","url":"https://snyk.io/blog/a-forgotten-contributor-account-compromised-the-entire-mastra-npm-package-scope/"},{"credibility":2,"name":"Orca Security: 144 Mastra npm Packages Compromised via Supply Chain Attack","type":"research","url":"https://orca.security/resources/blog/mastra-npm-supply-chain-attack/"},{"credibility":1,"name":"Microsoft Security Blog: From package to postinstall payload — Inside the Mastra npm supply chain compromise","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/"},{"credibility":2,"name":"The Hacker News: N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust (April 2026 Axios context)","type":"news_article","url":"https://thehackernews.com/2026/04/n-korean-hackers-spread-1700-malicious.html"}]},{"content":"Endor Labs detected the malicious republish within approximately 2 minutes and 18 seconds of the first affected package appearing on the registry. npm removed the 'easy-day-js' package from the registry and flagged all malicious versions under advisory SNYK-JS-EASYDAYJS-17353313. The 'ehindero' account was removed as a scope owner. Mastra responded by forward-rolling 142 publishable packages to clean versions in a coordinated pull request (#18056), moving the 'latest' dist-tag past all compromised releases, and disabling token bypass authentication on all packages. The clean 'latest' version was restored to @mastra/core 1.42.0. Security firms including StepSecurity, Endor Labs, Snyk, and Kodem published detailed incident response runbooks. Recommended user actions included: auditing npm install logs for any @mastra/* packages installed after June 16, 2026; rotating all secrets, LLM API keys, cloud credentials, and cryptocurrency wallet keys from potentially affected environments; reviewing network egress logs for connections to 23.254.164.92 or 23.254.164.123; removing persistence mechanisms installed by the RAT; and considering reimaging affected developer machines and CI runners.","heading":"Response and Remediation","severity":"high","sources":[{"credibility":2,"name":"Snyk: A forgotten contributor account compromised the entire Mastra npm package scope","type":"research","url":"https://snyk.io/blog/a-forgotten-contributor-account-compromised-the-entire-mastra-npm-package-scope/"},{"credibility":2,"name":"Endor Labs: Mastra npm Org Compromised — Multiple Packages Trojanized","type":"research","url":"https://www.endorlabs.com/learn/mastra-npm-org-compromised-multiple-packages-trojanized-to-drop-a-remote-payload-via-easy-day-js"},{"credibility":2,"name":"Kodem: Mastra npm Compromise — easy-day-js Attack & Response Runbook","type":"research","url":"https://www.kodemsecurity.com/resources/mastra-npm-packages-compromised-easy-day-js-supply-chain-attack-iocs-and-response-runbook"},{"credibility":2,"name":"StepSecurity: Mastra npm Supply Chain Attack — 140+ Packages Backdoored","type":"research","url":"https://www.stepsecurity.io/blog/mastra-npm-packages-compromised-using-easy-day-js"}]},{"content":"Known indicators of compromise associated with this attack include: the npm packages 'easy-day-js@1.11.22' (malicious) and 'easy-day-js@1.11.21' (clean decoy); publisher account 'sergey2016' with email sergey2016@tutamail.com; compromised maintainer account 'ehindero' with email ehindero2016@tutamail.com; the postinstall dropper file 'setup.cjs'; C2 primary endpoint 'https://23.254.164.92:8000/update/49890878' (Hostwinds, ASN AS54290); C2 secondary endpoint '23.254.164.123:443'; beacon files '~/.pkg_history' and '~/.pkg_logs' written to the system home directory; any @mastra/* npm package versions published between June 17, 2026 01:01 UTC and approximately 02:39 UTC that include 'easy-day-js' as a dependency. The Snyk advisory identifier is SNYK-JS-EASYDAYJS-17353313.","heading":"Indicators of Compromise","severity":"critical","sources":[{"credibility":2,"name":"StepSecurity: Mastra npm Supply Chain Attack — 140+ Packages Backdoored","type":"research","url":"https://www.stepsecurity.io/blog/mastra-npm-packages-compromised-using-easy-day-js"},{"credibility":2,"name":"Endor Labs: Mastra npm Org Compromised — Multiple Packages Trojanized","type":"research","url":"https://www.endorlabs.com/learn/mastra-npm-org-compromised-multiple-packages-trojanized-to-drop-a-remote-payload-via-easy-day-js"},{"credibility":2,"name":"Phoenix Security: easy-day-js / EASY_DAY_JS_MASTRA_2026","type":"research","url":"https://phoenix.security/easy-day-js-mastra-npm-supply-chain-typosquat-rat-2026/"}]},{"content":"The Mastra AI incident is one in a series of npm supply chain attacks in 2026 targeting AI and developer tooling ecosystems. Security researchers noted similarities with an April 2026 attack distributing approximately 1,700 malicious packages across npm, PyPI, Go, and Rust repositories, which Microsoft attributed to North Korean-linked actors in the Sapphire Sleet cluster. The recurring pattern — staging a clean package, arming it with a postinstall hook after building trust, then leveraging stale maintainer credentials to inject it broadly — represents a systematic approach to developer-environment compromise that yields high-value credential harvests given the density of API keys and secrets held in software development environments. The Mastra case highlights two systemic weaknesses in the npm ecosystem: the absence of publish-permission expiry for inactive accounts, and semantic versioning's default of resolving to the newest matching version at install time.","heading":"Broader Context: Developer Supply Chain Targeting","severity":"high","sources":[{"credibility":2,"name":"The Hacker News: N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust","type":"news_article","url":"https://thehackernews.com/2026/04/n-korean-hackers-spread-1700-malicious.html"},{"credibility":2,"name":"SafeDep: Mastra npm Scope Takeover — 141 Packages Drop a RAT","type":"research","url":"https://safedep.io/mastra-npm-scope-takeover-supply-chain-attack/"},{"credibility":2,"name":"Cloudsmith: Inside the Mastra npm supply chain attack","type":"research","url":"https://cloudsmith.com/blog/inside-the-mastra-npm-supply-chain-attack"}]}],"sources_used":[{"credibility":2,"name":"OX Security: easy-day-js Supply Chain Attack Hits Mastra AI in npm","type":"research","url":"https://www.ox.security/blog/easy-day-js-supply-chain-attack-hits-mastra-ai-in-npm/"},{"credibility":2,"name":"Phoenix Security: easy-day-js / EASY_DAY_JS_MASTRA_2026","type":"research","url":"https://phoenix.security/easy-day-js-mastra-npm-supply-chain-typosquat-rat-2026/"},{"credibility":2,"name":"StepSecurity: Mastra npm Supply Chain Attack — 140+ Packages Backdoored via easy-day-js","type":"research","url":"https://www.stepsecurity.io/blog/mastra-npm-packages-compromised-using-easy-day-js"},{"credibility":2,"name":"The Hacker News: 145 Mastra npm Packages Compromised via Hijacked Contributor Account","type":"news_article","url":"https://thehackernews.com/2026/06/144-mastra-npm-packages-compromised-via.html"},{"credibility":2,"name":"Orca Security: 144 Mastra npm Packages Compromised via Supply Chain Attack","type":"research","url":"https://orca.security/resources/blog/mastra-npm-supply-chain-attack/"},{"credibility":2,"name":"Snyk: A forgotten contributor account compromised the entire Mastra npm package scope","type":"research","url":"https://snyk.io/blog/a-forgotten-contributor-account-compromised-the-entire-mastra-npm-package-scope/"},{"credibility":2,"name":"Endor Labs: Mastra npm Org Compromised — Multiple Packages Trojanized","type":"research","url":"https://www.endorlabs.com/learn/mastra-npm-org-compromised-multiple-packages-trojanized-to-drop-a-remote-payload-via-easy-day-js"},{"credibility":1,"name":"Microsoft Security Blog: From package to postinstall payload — Inside the Mastra npm supply chain compromise","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/"},{"credibility":2,"name":"SafeDep: Mastra npm Scope Takeover — 141 Packages Drop a RAT","type":"research","url":"https://safedep.io/mastra-npm-scope-takeover-supply-chain-attack/"},{"credibility":2,"name":"Cloudsmith: Inside the Mastra npm supply chain attack","type":"research","url":"https://cloudsmith.com/blog/inside-the-mastra-npm-supply-chain-attack"},{"credibility":2,"name":"Kodem: Mastra npm Compromise — easy-day-js Attack & Response Runbook","type":"research","url":"https://www.kodemsecurity.com/resources/mastra-npm-packages-compromised-easy-day-js-supply-chain-attack-iocs-and-response-runbook"},{"credibility":2,"name":"The Hacker News: N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust","type":"news_article","url":"https://thehackernews.com/2026/04/n-korean-hackers-spread-1700-malicious.html"}],"summary":"On June 17, 2026, attackers hijacked a dormant npm contributor account ('ehindero') to inject a malicious dependency ('easy-day-js') into 140+ packages across the @mastra npm scope, affecting an estimated 1.1 million+ weekly downloads. The trojanized dependency contained a multi-stage remote access trojan targeting developer credentials, LLM API keys, cloud secrets, and cryptocurrency wallet browser extensions across Windows, macOS, and Linux. Mastra and npm responded within hours by revoking the compromised account, unpublishing malicious versions, and forward-rolling clean releases.","timeline":[{"date":"2024-01-01","event":"npm account 'ehindero' published legitimate alpha versions of @mastra/core, acquiring org-wide scope publish rights that were never subsequently revoked.","source":"Snyk","source_url":"https://snyk.io/blog/a-forgotten-contributor-account-compromised-the-entire-mastra-npm-package-scope/"},{"date":"2026-06-16","event":"Account 'sergey2016' published 'easy-day-js@1.11.21' to npm — a clean, byte-identical copy of the legitimate dayjs library, seeding the attack infrastructure without triggering alerts.","source":"StepSecurity","source_url":"https://www.stepsecurity.io/blog/mastra-npm-packages-compromised-using-easy-day-js"},{"date":"2026-06-17","event":"At 01:01 UTC, 'easy-day-js@1.11.22' was published with an obfuscated postinstall dropper ('setup.cjs') and tagged as 'latest', arming the previously clean package.","source":"StepSecurity / Endor Labs","source_url":"https://www.stepsecurity.io/blog/mastra-npm-packages-compromised-using-easy-day-js"},{"date":"2026-06-17","event":"Between 01:12 and 02:39 UTC, hijacked account 'ehindero' executed an automated 88-minute campaign republishing 140+ @mastra/* packages each injected with the 'easy-day-js' dependency, exposing a combined 1.1 million+ weekly downloads.","source":"StepSecurity / Snyk / Endor Labs","source_url":"https://snyk.io/blog/a-forgotten-contributor-account-compromised-the-entire-mastra-npm-package-scope/"},{"date":"2026-06-17","event":"Endor Labs detected the first malicious republish approximately 2 minutes and 18 seconds after it appeared on the npm registry.","source":"Endor Labs","source_url":"https://www.endorlabs.com/learn/mastra-npm-org-compromised-multiple-packages-trojanized-to-drop-a-remote-payload-via-easy-day-js"},{"date":"2026-06-17","event":"Microsoft Defender Security Research Team published a blog post detailing the attack mechanics and threat hunting guidance.","source":"Microsoft Security Blog","source_url":"https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/"},{"date":"2026-06-17","event":"npm removed the 'easy-day-js' package from the registry and flagged malicious versions under advisory SNYK-JS-EASYDAYJS-17353313. The 'ehindero' account was removed as scope owner.","source":"Snyk","source_url":"https://snyk.io/blog/a-forgotten-contributor-account-compromised-the-entire-mastra-npm-package-scope/"},{"date":"2026-06-17","event":"Mastra forward-rolled 142 packages to clean versions, moved the 'latest' dist-tag past all compromised releases, restoring @mastra/core latest to version 1.42.0, and disabled token bypass authentication on all packages.","source":"Snyk / The Hacker News","source_url":"https://snyk.io/blog/a-forgotten-contributor-account-compromised-the-entire-mastra-npm-package-scope/"},{"date":"2026-06-18","event":"Multiple security firms including OX Security, Orca Security, Phoenix Security, SafeDep, Cloudsmith, and Kodem published detailed technical analyses and incident response runbooks.","source":"OX Security","source_url":"https://www.ox.security/blog/easy-day-js-supply-chain-attack-hits-mastra-ai-in-npm/"}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision e04d1d73-b4aa-416b-80f9-794dc66a76a4
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.