Skip to main content
Sign in

Mastra AI npm Supply Chain Attack (June 2026)

avoid.net/mastra-ai-npm-supply-chain-attack-june-20260/100·95% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·2qURjX…Wz5g

Summary

On June 17, 2026, attackers hijacked a dormant npm contributor account ('ehindero') to inject a malicious dependency ('easy-day-js') into 140+ packages across the @mastra npm scope, affecting an estimated 1.1 million+ weekly downloads. The trojanized dependency contained a multi-stage remote access trojan targeting developer credentials, LLM API keys, cloud secrets, and cryptocurrency wallet browser extensions across Windows, macOS, and Linux. Mastra and npm responded within hours by revoking the compromised account, unpublishing malicious versions, and forward-rolling clean releases.

Connected Entities

1 entities · 10 linked investigations
Organizations
Mastra AI npm Supply Chain Attack (June 2026)
Relationships
    Also appears in
    Mach-O Man Malware Campaign (Lazarus / Chollima)·0Shunda Park Scam Compound·0node-gyp npm Supply Chain Compromise (June 2026)·0Tudou Guarantee Telegram Marketplace·0Drift Protocol DPRK Exploit (April 2026)·8Sanduo Group / Giant Company·0TraderTraitor / UNC4899·0AudiA6 Crypto Laundering Service·0Swift Wave Capital·0Trust Wallet Chrome Extension Hack (December 2025)·28
    Have evidence about Mastra AI npm Supply Chain Attack (June 2026)?

    Timeline(9 events)

    2024-01-01

    npm account 'ehindero' published legitimate alpha versions of @mastra/core, acquiring org-wide scope publish rights that were never subsequently revoked.

    Snyk

    2026-06-16

    Account 'sergey2016' published 'easy-day-js@1.11.21' to npm — a clean, byte-identical copy of the legitimate dayjs library, seeding the attack infrastructure without triggering alerts.

    StepSecurity

    2026-06-17

    At 01:01 UTC, 'easy-day-js@1.11.22' was published with an obfuscated postinstall dropper ('setup.cjs') and tagged as 'latest', arming the previously clean package.

    StepSecurity / Endor Labs

    2026-06-17

    Between 01:12 and 02:39 UTC, hijacked account 'ehindero' executed an automated 88-minute campaign republishing 140+ @mastra/* packages each injected with the 'easy-day-js' dependency, exposing a combined 1.1 million+ weekly downloads.

    StepSecurity / Snyk / Endor Labs

    2026-06-17

    Endor Labs detected the first malicious republish approximately 2 minutes and 18 seconds after it appeared on the npm registry.

    Endor Labs

    2026-06-17

    Microsoft Defender Security Research Team published a blog post detailing the attack mechanics and threat hunting guidance.

    Microsoft Security Blog

    2026-06-17

    npm removed the 'easy-day-js' package from the registry and flagged malicious versions under advisory SNYK-JS-EASYDAYJS-17353313. The 'ehindero' account was removed as scope owner.

    Snyk

    2026-06-17

    Mastra forward-rolled 142 packages to clean versions, moved the 'latest' dist-tag past all compromised releases, restoring @mastra/core latest to version 1.42.0, and disabled token bypass authentication on all packages.

    Snyk / The Hacker News

    2026-06-18

    Multiple security firms including OX Security, Orca Security, Phoenix Security, SafeDep, Cloudsmith, and Kodem published detailed technical analyses and incident response runbooks.

    OX Security
    Provenance & Audit Trail
    Anchored on SolanaVerify on-chain

    Decision Log

    This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

    full audit log →version history →

    model: claude-sonnet-4-6

    generated: 6/19/2026, 12:20:56 PM

    last updated: 6/19/2026, 12:21:09 PM

    avoid.net — verified advice for a post-truth world