the entire @mastra npm scope got hijacked last night with 141 packages including @mastra/core
The entire @mastra npm scope was hijacked, affecting 141 packages including @mastra/core. The attacker did not modify the original source code but added a malicious dependency named easy-day-js, a seemingly benign dayjs clone. The attack exploited semantic versioning by specifying a dependency version range (^1.11.21) while the latest tag pointed to a newer version (1.11.22) containing a malicious postinstall hook. This allowed the malicious code to execute during package installation without immediate detection.
AI Analysis
Technical Summary
This campaign involved a supply chain attack on the @mastra npm scope where 141 packages were compromised. The attacker inserted a malicious dependency (easy-day-js) that appeared legitimate but contained a postinstall hook in version 1.11.22. The dependency was specified with a semver range (^1.11.21), so users auditing version 1.11.21 would not detect the malicious code, yet npm installed the newer 1.11.22 version. This technique allowed the attacker to execute code during package installation without altering the original package source code.
Potential Impact
The compromise of the @mastra npm scope affects all users and projects relying on any of the 141 hijacked packages, including @mastra/core. The malicious postinstall hook in the easy-day-js dependency could execute arbitrary code during installation, potentially leading to supply chain compromise, unauthorized code execution, or further malware deployment. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory or official @mastra npm scope maintainers for current remediation guidance. Users should audit their dependencies carefully, especially those with semver ranges that may resolve to newer, unreviewed versions. Temporarily avoid using affected packages until a fix or official guidance is provided. Consider pinning dependencies to exact versions verified as safe.
the entire @mastra npm scope got hijacked last night with 141 packages including @mastra/core
Description
The entire @mastra npm scope was hijacked, affecting 141 packages including @mastra/core. The attacker did not modify the original source code but added a malicious dependency named easy-day-js, a seemingly benign dayjs clone. The attack exploited semantic versioning by specifying a dependency version range (^1.11.21) while the latest tag pointed to a newer version (1.11.22) containing a malicious postinstall hook. This allowed the malicious code to execute during package installation without immediate detection.
Reddit Discussion
The attacker didn't touch any Mastra source code but just added one dependency to every package: easy-day-js which is a clean-looking dayjs clone. The trick was in semver that is they pinned ^1.11.21 but the latest tag pointed to 1.11.22 which had a postinstall hook. You audit 1.11.21but npm installs 1.11.22.
full details - https://safedep.io/mastra-npm-scope-takeover-supply-chain-attack/
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This campaign involved a supply chain attack on the @mastra npm scope where 141 packages were compromised. The attacker inserted a malicious dependency (easy-day-js) that appeared legitimate but contained a postinstall hook in version 1.11.22. The dependency was specified with a semver range (^1.11.21), so users auditing version 1.11.21 would not detect the malicious code, yet npm installed the newer 1.11.22 version. This technique allowed the attacker to execute code during package installation without altering the original package source code.
Potential Impact
The compromise of the @mastra npm scope affects all users and projects relying on any of the 141 hijacked packages, including @mastra/core. The malicious postinstall hook in the easy-day-js dependency could execute arbitrary code during installation, potentially leading to supply chain compromise, unauthorized code execution, or further malware deployment. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory or official @mastra npm scope maintainers for current remediation guidance. Users should audit their dependencies carefully, especially those with semver ranges that may resolve to newer, unreviewed versions. Temporarily avoid using affected packages until a fix or official guidance is provided. Consider pinning dependencies to exact versions verified as safe.
Technical Details
- Source Type
- Subreddit
- Malware
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":35,"reasons":["external_link","established_author","recent_news"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a32de4af198dc38c1d5758a
Added to database: 6/17/2026, 5:50:02 PM
Last enriched: 6/17/2026, 5:50:08 PM
Last updated: 6/17/2026, 7:52:30 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.