From package to postinstall payload: Inside the Mastra npm supply chain compromise
Microsoft Threat Intelligence discovered a large-scale npm supply chain attack compromising over 140 packages in the mastra and @mastra scopes. The attack originated from takeover of the ehindero npm maintainer account, which published poisoned package versions introducing easy-day-js, a malicious typosquat of the popular dayjs library. The malicious package executed a postinstall hook that deployed an obfuscated dropper script, disabled TLS certificate verification, contacted command-and-control infrastructure at 23.254.164.92 and 23.254.164.123, and downloaded a second-stage payload. This 41KB cross-platform Node.js implant installed persistence mechanisms, performed cryptocurrency wallet inventory, exfiltrated browser history and host reconnaissance data, and on Windows performed reflective .NET assembly injection for fileless in-memory code execution. Any developer workstation or CI/CD pipeline executing npm install after compromise was potentially exposed regardless of code usage.
AI Analysis
Technical Summary
Microsoft Threat Intelligence identified a supply chain compromise affecting over 140 npm packages within the mastra and @mastra namespaces. The compromise stemmed from an account takeover of the ehindero npm maintainer, who published poisoned package versions containing easy-day-js, a malicious typosquat of the legitimate dayjs library. The malicious package leveraged a postinstall hook to execute an obfuscated dropper script that disabled TLS certificate verification and communicated with command-and-control servers at IPs 23.254.164.92 and 23.254.164.123. It then downloaded a 41KB cross-platform Node.js implant that established persistence, performed cryptocurrency wallet inventory, exfiltrated browser history and reconnaissance data, and on Windows used reflective .NET assembly injection for fileless in-memory code execution. This attack vector exposed any environment performing npm install on these compromised packages, including developer workstations and CI/CD pipelines, regardless of whether the malicious code was explicitly used.
Potential Impact
The attack compromises developer and CI/CD environments by executing malicious code during npm install, potentially leading to credential theft, cryptocurrency wallet compromise, data exfiltration, and persistent implant installation. The malicious payload disables TLS verification, increasing risk of man-in-the-middle attacks. On Windows, reflective .NET assembly injection enables stealthy, fileless execution, complicating detection and remediation. The supply chain nature means many downstream projects and organizations could be affected simply by installing these compromised packages.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until official fixes or removals are confirmed, developers and organizations should audit their dependencies for packages in the mastra and @mastra scopes, especially easy-day-js and related typosquats. Avoid running npm install on untrusted or suspicious packages. Monitor for indicators of compromise such as connections to the known command-and-control IPs (23.254.164.92 and 23.254.164.123) and hashes associated with the malicious payload. Follow updates from npm and Microsoft security advisories for official remediation steps.
Indicators of Compromise
- hash: 221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badf
- hash: b122a9873bedf145ae2a7fd024b5f309007dbb025149f4dc4ac3f7e4f32a36a4
- url: https://23.254.164.92:8000/update/49890878
- hash: 4a8860240e4231c3a74c81949be655a28e096a7d72f38fbe84e5b37636b98417
- hash: ae70dd4f6bc0d1c8c2848e4e6b51934626c4818dcb5af99d080ddbd7dc337185
- hash: b73de25c053c3225a077738a1fcbd9ca6966d7b3cd6f5494a30f0aa0eae55c7e
From package to postinstall payload: Inside the Mastra npm supply chain compromise
Description
Microsoft Threat Intelligence discovered a large-scale npm supply chain attack compromising over 140 packages in the mastra and @mastra scopes. The attack originated from takeover of the ehindero npm maintainer account, which published poisoned package versions introducing easy-day-js, a malicious typosquat of the popular dayjs library. The malicious package executed a postinstall hook that deployed an obfuscated dropper script, disabled TLS certificate verification, contacted command-and-control infrastructure at 23.254.164.92 and 23.254.164.123, and downloaded a second-stage payload. This 41KB cross-platform Node.js implant installed persistence mechanisms, performed cryptocurrency wallet inventory, exfiltrated browser history and host reconnaissance data, and on Windows performed reflective .NET assembly injection for fileless in-memory code execution. Any developer workstation or CI/CD pipeline executing npm install after compromise was potentially exposed regardless of code usage.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Microsoft Threat Intelligence identified a supply chain compromise affecting over 140 npm packages within the mastra and @mastra namespaces. The compromise stemmed from an account takeover of the ehindero npm maintainer, who published poisoned package versions containing easy-day-js, a malicious typosquat of the legitimate dayjs library. The malicious package leveraged a postinstall hook to execute an obfuscated dropper script that disabled TLS certificate verification and communicated with command-and-control servers at IPs 23.254.164.92 and 23.254.164.123. It then downloaded a 41KB cross-platform Node.js implant that established persistence, performed cryptocurrency wallet inventory, exfiltrated browser history and reconnaissance data, and on Windows used reflective .NET assembly injection for fileless in-memory code execution. This attack vector exposed any environment performing npm install on these compromised packages, including developer workstations and CI/CD pipelines, regardless of whether the malicious code was explicitly used.
Potential Impact
The attack compromises developer and CI/CD environments by executing malicious code during npm install, potentially leading to credential theft, cryptocurrency wallet compromise, data exfiltration, and persistent implant installation. The malicious payload disables TLS verification, increasing risk of man-in-the-middle attacks. On Windows, reflective .NET assembly injection enables stealthy, fileless execution, complicating detection and remediation. The supply chain nature means many downstream projects and organizations could be affected simply by installing these compromised packages.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until official fixes or removals are confirmed, developers and organizations should audit their dependencies for packages in the mastra and @mastra scopes, especially easy-day-js and related typosquats. Avoid running npm install on untrusted or suspicious packages. Monitor for indicators of compromise such as connections to the known command-and-control IPs (23.254.164.92 and 23.254.164.123) and hashes associated with the malicious payload. Follow updates from npm and Microsoft security advisories for official remediation steps.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/"]
- Adversary
- null
- Pulse Id
- 6a338520dd8f528ed63d76f0
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badf | — | |
hashb122a9873bedf145ae2a7fd024b5f309007dbb025149f4dc4ac3f7e4f32a36a4 | — | |
hash4a8860240e4231c3a74c81949be655a28e096a7d72f38fbe84e5b37636b98417 | — | |
hashae70dd4f6bc0d1c8c2848e4e6b51934626c4818dcb5af99d080ddbd7dc337185 | — | |
hashb73de25c053c3225a077738a1fcbd9ca6966d7b3cd6f5494a30f0aa0eae55c7e | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://23.254.164.92:8000/update/49890878 | — |
Threat ID: 6a340291f198dc38c1f62f79
Added to database: 6/18/2026, 2:37:05 PM
Last enriched: 6/18/2026, 2:50:04 PM
Last updated: 6/18/2026, 6:16:53 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.