140+ npm Packages Compromised in Coordinated Supply Chain Attack
A coordinated supply chain attack compromised over 140 Mastra npm packages by injecting a typosquatted dependency named easy-day-js. The malicious code executes during npm install via a postinstall hook, deploying a two-stage payload that disables TLS validation and installs a cross-platform implant on Windows, macOS, and Linux. This implant acts as a command-and-control client capable of stealing cryptocurrency wallet data from over 166 browser extensions, harvesting browser history, and executing arbitrary code. The attack affects popular packages including @mastra/core, which has high weekly downloads, compromising developer systems during package installation.
AI Analysis
Technical Summary
More than 140 Mastra npm packages were compromised through a supply chain attack involving a typosquatted dependency called easy-day-js. A single npm account published malicious versions rapidly, affecting widely used packages such as @mastra/core. The attack leverages the npm postinstall hook to execute a two-stage payload: first disabling TLS validation and then downloading a second-stage implant that establishes persistence across Windows, macOS, and Linux platforms. This implant functions as a command-and-control client that steals cryptocurrency wallet inventories from 166+ browser extensions, collects browser history, and can execute arbitrary commands from operators. The malicious code runs before developers import the packages, compromising systems during installation.
Potential Impact
Systems installing affected Mastra npm packages are compromised during the installation process. The attack disables TLS validation, enabling the download of a second-stage implant that persists across multiple operating systems. This implant steals sensitive cryptocurrency wallet information from numerous browser extensions, harvests browser history, and allows remote code execution by threat operators. This results in potential theft of digital assets, privacy breaches, and full system compromise.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix or update is available, developers should avoid installing or updating affected Mastra npm packages, especially those depending on the easy-day-js dependency. Verify package integrity and source authenticity before installation. Monitor official npm advisories and trusted security sources for updates and remediation instructions.
Indicators of Compromise
- hash: 221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badf
- hash: 9570f77a5e1511869f4e554e7166df9fde081f2583e293c2569621792ed7d9c9
- hash: b122a9873bedf145ae2a7fd024b5f309007dbb025149f4dc4ac3f7e4f32a36a4
- hash: c38954e85bf5433e61e7c8f4230336695624ae88b6953afabf7bf817aa91b638
- hash: cdec8b20338beb708b5be8d3d7a3041a35a8b0fb92f9186262f312d55ff82066
- url: https://23.254.164.92:8000/update/49890878
- url: https://23.254.164.92:8000/update/49890878'
- domain: hwsrv-1327785.hostwindsdns.com
- domain: hwsrv-1327786.hostwindsdns.com
140+ npm Packages Compromised in Coordinated Supply Chain Attack
Description
A coordinated supply chain attack compromised over 140 Mastra npm packages by injecting a typosquatted dependency named easy-day-js. The malicious code executes during npm install via a postinstall hook, deploying a two-stage payload that disables TLS validation and installs a cross-platform implant on Windows, macOS, and Linux. This implant acts as a command-and-control client capable of stealing cryptocurrency wallet data from over 166 browser extensions, harvesting browser history, and executing arbitrary code. The attack affects popular packages including @mastra/core, which has high weekly downloads, compromising developer systems during package installation.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
More than 140 Mastra npm packages were compromised through a supply chain attack involving a typosquatted dependency called easy-day-js. A single npm account published malicious versions rapidly, affecting widely used packages such as @mastra/core. The attack leverages the npm postinstall hook to execute a two-stage payload: first disabling TLS validation and then downloading a second-stage implant that establishes persistence across Windows, macOS, and Linux platforms. This implant functions as a command-and-control client that steals cryptocurrency wallet inventories from 166+ browser extensions, collects browser history, and can execute arbitrary commands from operators. The malicious code runs before developers import the packages, compromising systems during installation.
Potential Impact
Systems installing affected Mastra npm packages are compromised during the installation process. The attack disables TLS validation, enabling the download of a second-stage implant that persists across multiple operating systems. This implant steals sensitive cryptocurrency wallet information from numerous browser extensions, harvests browser history, and allows remote code execution by threat operators. This results in potential theft of digital assets, privacy breaches, and full system compromise.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix or update is available, developers should avoid installing or updating affected Mastra npm packages, especially those depending on the easy-day-js dependency. Verify package integrity and source authenticity before installation. Monitor official npm advisories and trusted security sources for updates and remediation instructions.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://socket.dev/blog/mastra-npm-packages-compromised"]
- Adversary
- null
- Pulse Id
- 6a32a359d57a0d5d5999e35f
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badf | — | |
hash9570f77a5e1511869f4e554e7166df9fde081f2583e293c2569621792ed7d9c9 | — | |
hashb122a9873bedf145ae2a7fd024b5f309007dbb025149f4dc4ac3f7e4f32a36a4 | — | |
hashc38954e85bf5433e61e7c8f4230336695624ae88b6953afabf7bf817aa91b638 | — | |
hashcdec8b20338beb708b5be8d3d7a3041a35a8b0fb92f9186262f312d55ff82066 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://23.254.164.92:8000/update/49890878 | — | |
urlhttps://23.254.164.92:8000/update/49890878' | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainhwsrv-1327785.hostwindsdns.com | — | |
domainhwsrv-1327786.hostwindsdns.com | — |
Threat ID: 6a330198f198dc38c1fe17e8
Added to database: 6/17/2026, 8:20:40 PM
Last enriched: 6/17/2026, 8:35:25 PM
Last updated: 6/17/2026, 9:46:36 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.