@mastra npm scope takeover: 143 packages backdoored via compromised contributor account
TL;DR
What happened: An attacker used a compromised former contributor npm account to republish all 143 packages in the @mastra npm scope between 01:15 and 02:00 UTC on June 17, 2026.
Packages affected: All 143 packages in the @mastra scope — 139 @mastra/* packages plus
create-mastraandmastra— on the npm registry.Scale: 143 packages; more than 30 million monthly downloads
Risk: A
postinstallhook disables TLS verification, downloads a crypto wallet stealer and remote access trojan (RAT) from attacker-controlled infrastructure, runs them detached, then self-deletes. The RAT command-and-control (C2) server was live at time of analysis.Chainguard customers: Not affected.
What to do: Immediately audit your dependency trees and lockfiles for any @mastra package; if found, treat the host as compromised and rotate all credentials.
In the early hours of June 17, 2026, an attacker gained access to a former contributor's npm account and used it to republish every package in the @mastra scope — 143 packages in total — each seeded with a dependency on the malicious easy-day-js@1.11.22. The window of exposure ran from 01:15 to 02:00 UTC, 45 minutes during which any developer running a fresh install of a @mastra package could have pulled the backdoored versions. The malware is designed to steal cryptocurrency wallet credentials and establish persistent remote access, and the attacker's infrastructure was confirmed to be active at the time of analysis.
Affected packages
All 143 packages in the @mastra npm scope received malicious versions during this attack window. This includes all 139 @mastra/* scoped packages as well as the top-level packages create-mastra and mastra. The specific malicious dependency introduced into each was easy-day-js@1.11.22.
Note: Installing the "latest" tag of any @mastra package published between 01:15 and 02:00 UTC on June 17, 2026, is not protection as those versions were the malicious ones.
The attacker operated two npm accounts: ehindero, which republished the 143 @mastra packages, and sergey2016, which published easy-day-js on June 16, a day earlier, to lay the groundwork. A reliable signal that you’re working with a legitimate Mastra release is that all of them carry SLSA provenance attestations published through npm's trusted publisher flow. Every malicious version in this wave dropped provenance entirely. Any signature-verifying install or policy requiring attestations would have rejected them.
What the malware does
The malicious payload is delivered via a postinstall hook in the easy-day-js@1.11.22 dependency injected into every affected @mastra package. The hook executes automatically on npm install without any further user interaction.
TLS verification disabled: The hook first disables TLS certificate verification on the host, allowing subsequent network requests to proceed without certificate validation and making traffic harder to inspect or block.
Stage-2 dropper fetched: A dropper binary is downloaded from the attacker's C2 infrastructure at
23.254.164[.]92:8000.Crypto wallet stealer and RAT deployed: The dropper fetches and executes a crypto wallet stealer and a remote access trojan (RAT) that establishes a persistent connection back to
23.254.164[.]123:443. Both processes are launched detached from the parent npm process.Self-deletion: The
postinstallscript deletes itself after execution, removing evidence of the initial infection vector from disk.
Indicators of compromise
If you installed any affected version (see Affected packages above), treat your environment as compromised.
Network indicators
Dropper C2:
23.254.164[.]92:8000(Hostwinds infrastructure)RAT C2:
23.254.164[.]123:443(confirmed live at time of analysis)
File hashes
easy-day-js@1.11.22tarball:4a8860240e4231c3a74c81949be655a28e096a7d72f38fbe84e5b37636b98417easy-day-js@1.11.21tarball:ae70dd4f6bc0d1c8c2848e4e6b51934626c4818dcb5af99d080ddbd7dc337185
Package-level indicators
Dependency on
easy-day-js@1.11.22in any @mastra packagePresence of
easy-day-jsinnode_modules
On disk artifacts (temp directory)
.pkg_historyand.pkg_logsmarker files, plus a randomly named<hex>.js
How to check if you're affected
Run the following commands to audit your environment.
List installed @mastra packages:
npm list --depth=0 | grep @mastraCheck for the malicious dependency in node_modules:
ls node_modules | grep easy-day-jsSearch your lockfiles:
# package-lock.json grep -r "easy-day-js" package-lock.json# yarn.lock grep -r "easy-day-js" yarn.lock# pnpm-lock.yaml grep -r "easy-day-js" pnpm-lock.yaml
Search node_modules for the postinstall script artifact:
find node_modules/easy-day-js -name "*.js" 2>/dev/null
Note: A match in a lockfile alone warrants a full investigation because it means the malicious version was resolved during a prior install, even if the file has since been deleted.
Immediate steps if you're affected
Isolate the host immediately: Remove the affected machine from the network to prevent further data exfiltration to the active RAT C2.
Rotate all credentials on the host: This includes npm tokens, cloud provider credentials (AWS, GCP, Azure), SSH keys, API keys, and any secrets accessible from the environment. Assume any credential that touched this machine is compromised.
Block egress to C2 infrastructure: Add firewall rules to block all outbound traffic to
23.254.164[.]92and23.254.164[.]123across your environment.Audit your cryptocurrency wallets: The malware specifically targets crypto wallet credentials. Review wallet access logs and consider moving assets to new wallets with fresh keys.
Remove affected packages and reinstall clean versions: Delete
node_modulesand your lockfile, pin @mastra packages to versions published before 01:15 UTC on June 17, 2026 (verify on the npm registry), and reinstall.Review cloud and CI/CD logs: Check for any unexpected outbound connections, credential use, or process launches originating from your build environment between June 17, 01:15 UTC and when you patched.
Why Chainguard customers were protected
Chainguard customers were not affected by this attack. For customers using Chainguard Libraries for JavaScript, our malware and greyware scanner detected and blocked easy-day-js@1.11.22 from being served via our upstream fallback, preventing the malicious dependency from reaching customers through passthrough.
Chainguard-built libraries provide an additional layer of protection by design. Our current policy is not to build packages that use install-time scripts. They are known as a common exploit vector that can execute arbitrary code automatically during npm install with no user interaction, a pattern seen repeatedly in recent campaigns including mini Shai-Hulud, node-ipc, and Axios. As a result, the affected @mastra packages would never exist in our source-built catalog.
The bigger picture
This attack follows a well-established pattern. It gains access to a legitimate contributor account, republishes a large namespace of packages with a shared malicious dependency, and relies on the trust developers place in familiar package names. The @mastra scope's 143-package footprint made it a high-leverage target since a single compromised account allowed it to produce 143 malicious packages in under 90 minutes.
This attack also continues a theme of weaponizing popular open source projects used to build with AI. The mastra project is built for agentic development and building integrations to LLMs and MCPs. That means the mastra project tends to run in highly sensitive production environments that have confidential data and credential keys. As more organizations adopt AI, it’s become essential to ensure the tools to do so are secure by default.
A few structural takeaways:
Namespace breadth amplifies account compromise. A single former contributor account was sufficient to poison an entire ecosystem of packages. Organizations maintaining large npm scopes should enforce strict access reviews for former contributors and require multi-factor authentication on all publishing accounts.
postinstallhooks remain a high-risk attack surface. This campaign, like many before it, used npm'spostinstallhook to execute arbitrary code at install time. Audit your npm configurations and consider disablingpostinstallscripts in CI/CD environments where they aren't required.Speed of detection matters. The malicious versions were live for approximately 84 minutes. Detection-to-block time is a critical metric, and proactive blocking before install is the only way to remove your exposure window.
Sources
safedep.io advisory: https://safedep.io/mastra-npm-scope-takeover-supply-chain-attack/
Want to learn more about Chainguard?
Supply chain attacks like this one are becoming faster, more automated, and harder to detect after the fact. Chainguard's secure open source artifacts are built from source with minimal vulnerabilities, provable provenance, and malware-resistance by design, so your team isn't relying on detection alone. Get started for free today or reach out to our team to learn how Chainguard can protect your software supply chain.
Share this article
Verwandte Artikel
- Sicherheit
Miasma Phantom Gyp npm attack: 57 packages, 286 malicious versions hijack CI/CD pipelines via binding.gyp
Quincy Castro, CISO
- Sicherheit
Chainguard customers safe from Mini Shai-Hulud worm targeting @redhat-cloud-services npm packages with 100K+ weekly downloads
Quincy Castro, CISO
- Sicherheit
5 security myths that Mythos ended (as told by a CISO)
Quincy Castro, CISO
- Sicherheit
Preparing for Mythos: Practical advice for engineering teams
Adrian Mouat, Staff DevRel Engineer
- Sicherheit
Mini Shai-Hulud npm Attack: AntV Ecosystem Compromise (May 2026)
Mandy Hubbard, Sr. Technical Product Marketing Manager
- Sicherheit
Canada's CPCSC and Bill C-8 are coming. Here's what you need to do.
Chris Carty, Enterprise Solutions Engineer