{"slug": "144-mastra-npm-packages-backdoored-what-to-check-right-now", "title": "144 Mastra npm Packages Backdoored: What to Check Right Now", "summary": "An attacker hijacked a dormant contributor account and published malicious versions of 144 packages under the @mastra npm scope between 01:15 and 02:36 UTC, targeting the TypeScript AI agent framework Mastra. The attack uses a typosquatted dependency easy-day-js with a postinstall script that downloads an infostealer targeting cryptocurrency wallet extensions. Users who installed any @mastra/* package in the last 24 hours should run npm ls easy-day-js and rotate credentials immediately.", "body_md": "Between 01:15 and 02:36 UTC this morning, an attacker hijacked a dormant contributor account and published malicious versions of 144 packages under the `@mastra`\n\nnpm scope. Mastra is a TypeScript AI agent framework with over 1.1 million combined weekly downloads. If you ran `npm install`\n\non any `@mastra/*`\n\npackage in the last 24 hours, run this before reading further:\n\n```\nnpm ls easy-day-js\n```\n\nAny output means you installed a compromised version. Start rotating credentials now. Details below.\n\n## What Mastra Is\n\nIf you have not encountered it yet: [Mastra](https://mastra.ai/) is an open-source TypeScript framework for building production AI agents, created by the team behind Gatsby and backed by Y Combinator (W25 batch). It handles agents, workflows, memory, Model Context Protocol (MCP) servers, and observability — the full stack for TypeScript developers building AI applications. It has 22,000+ GitHub stars, it is in production at Replit and WorkOS, and its core package alone sees 918,000 weekly downloads. This is not a niche framework.\n\n## How the Attack Worked\n\nThe attacker did not exploit a zero-day in Mastra’s code. They used a much simpler vector: a former contributor account called “ehindero” still had publish access to the `@mastra`\n\nnpm scope. Contributor access was never revoked after they stopped contributing. The attacker compromised that account and, within an 81-minute window, published malicious new versions of 141 packages under the `@mastra`\n\nscope.\n\nThe mechanism was a typosquatted dependency called **easy-day-js** — a clone of the popular `dayjs`\n\ndate library with one extra feature: a postinstall script. When npm resolves and installs `easy-day-js`\n\n, that script fires automatically. It disables TLS certificate validation, downloads a second-stage payload from attacker-controlled infrastructure, executes it as a detached background process, and then deletes itself to remove forensic traces.\n\nHere is the part that makes this particularly nasty: the `@mastra/*`\n\npackages themselves are clean. If you review the source of a compromised Mastra package, you will find nothing wrong. The malicious behavior lives entirely in the transitive dependency. You will not catch this with a source review — only a full dependency tree audit will surface it.\n\n## What the Payload Does\n\nThe second-stage payload is a cross-platform infostealer targeting Windows, macOS, and Linux. It exfiltrates a beacon over HTTPS containing your username, hostname, OS and architecture, Node version, list of installed applications, running processes, and browser history. Its primary targets are cryptocurrency wallet browser extensions — it has a hardcoded list of 166 extensions including MetaMask, Phantom, Coinbase Wallet, Solflare, OKX, and Keplr. It also installs persistence, meaning it survives the terminal session that installed the malicious package.\n\n## If npm ls easy-day-js Returns Output\n\nAssume the host is compromised. Here is the response sequence:\n\n**Delete and reinstall:** Remove`node_modules`\n\n, clear your npm cache, and reinstall using a version of the`@mastra/*`\n\npackages that predates June 16, 2026.**Rotate credentials:** npm tokens, cloud provider keys (AWS, GCP, Azure), CI/CD secrets (GitHub Actions, CircleCI), LLM API keys (OpenAI, Anthropic, Groq), SSH keys, and any cryptocurrency wallets accessible from that machine.**Hunt artifacts:** Check your temp directory for`.pkg_history`\n\n,`.pkg_logs`\n\n, randomly named 24-hex`.js`\n\nfiles, and`browser-hist-*`\n\ndirectories. Check for a detached`node`\n\nprocess that should not be there.**Treat any CI runner that ran the install as compromised,** not just developer machines.\n\n## Prevention: What Would Have Stopped This\n\nTwo things would have blocked the attack at install time:\n\n```\n# Block all postinstall scripts (the attack vector)\nnpm install --ignore-scripts\n\n# In CI: verify lockfile integrity and block scripts\nnpm ci --ignore-scripts\n```\n\nThe `--ignore-scripts`\n\nflag is not new, but few teams use it by default. Every supply chain attack in the past year that used a postinstall vector would have been stopped by it.\n\nThe structural issue — stale contributor access — is harder to fix. npm has no built-in expiry for publish permissions. This exact vector, a former contributor account whose scope access was never cleaned up, was also used in [the TanStack attack](https://socket.dev/blog/mastra-npm-packages-compromised). The Mastra team is not uniquely at fault here; this is an ecosystem-level failure. But every maintainer team should be auditing publish permissions on a regular schedule and removing access for contributors who are no longer active.\n\n## The Bigger Picture\n\nThis is the third significant npm supply chain attack in six weeks: the Red Hat Cloud Services attack on June 1, the LinkedIn job-offer backdoor on June 16, and now this. The pattern is consistent — compromised credentials, postinstall execution, credential theft. The individual remediation steps are clear. What is missing is the industry-level enforcement: automatic scope expiry for inactive contributors, lifecycle script sandboxing by default, and better tooling to surface transitive dependency changes in package diffs.\n\nUntil that infrastructure exists, `npm ci --ignore-scripts`\n\nin CI is not optional for any team that cares about supply chain security. [Full technical details are available from The Hacker News](https://thehackernews.com/2026/06/144-mastra-npm-packages-compromised-via.html) and [StepSecurity’s writeup](https://www.stepsecurity.io/blog/mastra-npm-packages-compromised-using-easy-day-js). Add `--ignore-scripts`\n\nto your pipelines today.", "url": "https://wpnews.pro/news/144-mastra-npm-packages-backdoored-what-to-check-right-now", "canonical_source": "https://byteiota.com/144-mastra-npm-packages-backdoored-what-to-check-right-now/", "published_at": "2026-06-17 11:16:13+00:00", "updated_at": "2026-06-17 11:28:38.195557+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "ai-infrastructure", "developer-tools"], "entities": ["Mastra", "npm", "Y Combinator", "Replit", "WorkOS", "MetaMask", "Phantom", "Coinbase Wallet"], "alternates": {"html": "https://wpnews.pro/news/144-mastra-npm-packages-backdoored-what-to-check-right-now", "markdown": "https://wpnews.pro/news/144-mastra-npm-packages-backdoored-what-to-check-right-now.md", "text": "https://wpnews.pro/news/144-mastra-npm-packages-backdoored-what-to-check-right-now.txt", "jsonld": "https://wpnews.pro/news/144-mastra-npm-packages-backdoored-what-to-check-right-now.jsonld"}}