Skip to main content
Sign in

easy-day-js / Mastra npm Supply Chain Attack

avoid.net/easy-day-js-mastra-npm-supply-chain-attack0/100·95% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·HmGSnn…hQZq

Summary

On June 16–17, 2026, attackers published a typosquatted npm package named easy-day-js mimicking the legitimate dayjs date library, then used a hijacked former-contributor npm account (ehindero) to inject it as a dependency across 141–144 packages in the @mastra organization within an 88-minute window. The malicious postinstall payload functioned as a cross-platform remote access trojan (RAT) and infostealer, exfiltrating cryptocurrency wallet credentials, browser history, and developer secrets before self-deleting, with affected packages carrying a combined weekly download count exceeding 1.1 million.

Connected Entities

1 entities · 10 linked investigations
Organizations
easy-day-js / Mastra npm Supply Chain Attack
Relationships
    Also appears in
    Mach-O Man Malware Campaign (Lazarus / Chollima)·0Bunni Protocol·28Shunda Park Scam Compound·0Lulo·55Crossmint·70Access Protocol·47Orca·80Zircon Gamma·32Value DeFi Protocol·18DeFi100·12
    Have evidence about easy-day-js / Mastra npm Supply Chain Attack?

    Timeline(8 events)

    2026-05-29

    An identical loader to the easy-day-js dropper was detected on public malware sandboxes, approximately 19 days before the Mastra attack, indicating prior toolkit testing or use.

    JFrog Security Research

    2026-06-16

    npm account sergey2016 published easy-day-js@1.11.21 at 07:05 UTC — a clean, fully functional copy of the legitimate dayjs library with no malicious code, establishing a credible package history.

    StepSecurity / JFrog

    2026-06-17

    easy-day-js@1.11.22 published at 01:01 UTC by sergey2016 with obfuscated malicious postinstall dropper (setup.cjs). TLS verification disabled; C2 download from 23.254.164.92:8000.

    StepSecurity / Socket

    2026-06-17

    Beginning at 01:12 UTC, compromised ehindero account mass-published 141–144 trojanized @mastra packages over 88 minutes (through approximately 02:39 UTC), each listing easy-day-js@^1.11.21 as a dependency.

    Socket / StepSecurity

    2026-06-17

    Mastra team became aware of the attack at approximately 8:45 PM PT (June 16 US time) and contacted npm and Socket Security. Began unpublishing compromised packages.

    Mastra GitHub Issue #18061

    2026-06-17

    By 11:57 PM PT: 110 malicious packages unpublished; 6 packages deprecated (npm prevented full unpublishing). Safe versions published via PR #18056 around 1:00 AM PT. MFA token bypass vulnerability removed.

    Mastra GitHub Issue #18061

    2026-06-17

    Compromised maintainer confirmed as an active Mastra employee whose account was hijacked via social phishing through a fraudulent LinkedIn message. Attacker had changed the ehindero account email to ehindero2016@tutamail.com.

    Mastra GitHub Issue #18061 / Snyk

    2026-06-17

    Multiple security firms (StepSecurity, Socket, OX Security, JFrog, Snyk, Phoenix Security) published public technical analyses of the attack. JFrog flagged all compromised versions within 24 hours of detection.

    Multiple security research firms
    Provenance & Audit Trail
    Anchored on SolanaVerify on-chain

    Decision Log

    This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

    full audit log →version history →

    model: claude-sonnet-4-6

    generated: 6/17/2026, 5:03:53 PM

    last updated: 6/17/2026, 5:04:02 PM

    avoid.net — verified advice for a post-truth world