Summarize with:

Share
The Mastra npm incident is a sharp warning for teams building AI agents: dependency compromise is no longer just a problem for traditional web applications. Microsoft, JFrog, Socket, StepSecurity, Orca Security, and other researchers have documented a campaign in which a hijacked npm maintainer account was used to republish more than 140 packages in the Mastra AI framework ecosystem with a malicious dependency called easy-day-js.
The affected packages were not simply defaced or broken. They pulled in a typosquatted dependency that executed during installation, fetched a second-stage payload, and targeted developer systems, build agents, cryptocurrency wallets, cloud credentials, and LLM API keys. Microsoft later attributed the activity with high confidence to Sapphire Sleet, a North Korea-linked actor also tracked as BlueNoroff.
For defenders, this is bigger than one package namespace. It shows how AI development stacks can become a high-value malware delivery path when package publishing rights, install scripts, and automatic dependency resolution line up in the attacker's favor.
Researchers report that the campaign began with control of the ehindero npm maintainer account, which still had publish rights across the Mastra ecosystem. On June 17, 2026, the attacker republished a large set of @mastra/* packages and added easy-day-js as a dependency.
That name was deliberately close to dayjs, a legitimate and widely used JavaScript date library. JFrog's registry timeline shows a clean-looking [email protected] was published on June 16, followed by weaponized [email protected] on June 17. The affected Mastra packages then declared a dependency range that allowed npm to resolve the newer malicious version automatically.
This is the quiet part of the attack. The compromised Mastra package code did not need to contain the main payload. The malicious behavior was pushed one level down into a dependency that looked plausible enough to pass a quick review.
The real risk came from npm's lifecycle behavior. The malicious easy-day-js package used an obfuscated postinstall script, which runs automatically after installation. Researchers say that script disabled TLS verification, wrote temporary markers, downloaded a second-stage payload from attacker infrastructure, launched it in the background, and attempted to remove traces of the initial loader.
That means a normal npm install could become code execution on a developer laptop, CI runner, or build host. No production deployment was required. No user needed to open a malicious document. The install process itself became the execution path.
This is why the incident belongs in incident response, not only software composition analysis. If an affected system installed the poisoned dependency during the exposure window, defenders should not treat the event as a harmless dependency alert. They should assume credentials and local secrets may have been exposed.
Public research points to a cross-platform infostealer and remote-access payload. Orca Security says the malware targeted browser data from Chrome, Edge, and Brave, 166 cryptocurrency wallet extensions, host reconnaissance data, and persistence across Windows, macOS, and Linux. StepSecurity and Socket reported that the affected packages represented more than 1.1 million combined weekly downloads, with @mastra/core alone accounting for a large share of the ecosystem's reach.
The target set tells the story. AI developer environments often hold:
That makes this a high-value identity and access management problem. The attacker does not need to compromise the final AI application if they can steal the credentials used to build, test, deploy, and operate it.
AI agent frameworks sit at an uncomfortable intersection of trust. They are developer tools, automation platforms, and credential brokers at the same time. A single project may connect to OpenAI, Anthropic, cloud storage, internal databases, vector stores, GitHub, Slack, payment systems, and deployment pipelines.
That creates a richer blast radius than many teams expect from an npm dependency. A poisoned package in an AI framework can reach local .env files, CI variables, agent tool credentials, and secrets used for experiments that never passed through formal production controls.
Microsoft's attribution also matters. Sapphire Sleet has a documented history of targeting cryptocurrency and financial systems. In this case, the campaign blends that objective with developer-targeted supply chain tradecraft. The result is not just "steal wallets"; it is "steal the keys developers use to build systems that move money, data, and automation."
Check application repositories, lockfiles, container images, build caches, developer workstations, and CI runners for @mastra/*, mastra, create-mastra, and easy-day-js.
Fast local checks can start with:
bashnpm ls easy-day-js rg "easy-day-js|@mastra/|create-mastra|\"mastra\"" package.json package-lock.json pnpm-lock.yaml yarn.lock
Do not stop at the main branch. Include old feature branches, internal templates, sample applications, and AI experiments that may still run in automation.
If a developer machine, CI runner, or build host installed the malicious dependency, isolate it and investigate before returning it to normal use. Package removal alone is not enough if the second-stage payload established persistence or stole secrets.
Use the persistence paths and indicators published by researchers as starting points. Orca lists Windows, macOS, and Linux locations used by the payload, and multiple vendors list the same Hostwinds IP infrastructure as network IOCs.
Prioritize credentials that were present on affected systems at install time:
Secret rotation should include revocation and log review. If a token was stolen and used quickly, simply replacing it may hide the evidence trail defenders need.
Install scripts are powerful because some legitimate packages need build steps. But they are also one of the easiest ways for a dependency to execute code during installation.
Teams should consider --ignore-scripts for dependency review jobs, hardened CI lanes for untrusted dependency updates, and allowlists for packages that truly require lifecycle scripts. This will not eliminate supply chain risk, but it reduces the number of places where dependency resolution automatically becomes code execution.
The root operational failure was not only that a malicious dependency existed. It was that an account with publishing rights could still push package changes across a broad ecosystem.
Maintainers should review npm organization members, enforce phishing-resistant MFA where available, remove stale contributors, separate release automation from human accounts, and require provenance-backed releases. For large frameworks, package publishing should be treated like production deployment, not routine repository housekeeping.
The Mastra compromise is a useful case study because the attacker did not need a CVE. They used identity compromise, semver behavior, a typosquatted dependency, and npm lifecycle scripts to turn normal AI development activity into a credential-theft path.
That is the modern software supply chain problem in plain terms: trust is executed automatically. If a package manager, CI runner, or developer machine trusts a dependency enough to run code during install, attackers will try to become that dependency.
For security teams supporting AI development, the response should be practical:
easy-day-jsAI development is moving fast, but the trust model underneath it is still software supply chain trust. The Mastra incident shows how quickly that trust can be turned against defenders when package publishing rights are left too broad and installation is allowed to execute code by default.
It is a June 2026 compromise in which a hijacked npm maintainer account republished more than 140 Mastra AI framework packages with a malicious easy-day-js dependency that ran during installation.
No. This is a package supply chain compromise, not a conventional software vulnerability with a CVE. That makes dependency inventory, lockfile review, and behavioral detection especially important.
Developer workstations, CI runners, build servers, containers, and projects that installed affected Mastra packages or resolved [email protected] during the exposure window should be treated as potentially compromised.
Start with npm tokens, GitHub credentials, cloud keys, LLM API keys, CI/CD secrets, SSH keys, database credentials, and any cryptocurrency wallet material present on affected systems.
Written by
Research
A DevOps engineer and cybersecurity enthusiast with a passion for uncovering the latest in zero-day exploits, automation, and emerging tech. I write to share real-world insights from the trenches of IT and security, aiming to make complex topics more accessible and actionable. Whether I’m building tools, tracking threat actors, or experimenting with AI workflows, I’m always exploring new ways to stay one step ahead in today’s fast-moving digital landscape.
Get the latest cybersecurity insights in your inbox.
supply chain attackRed Hat npm compromise proves provenance alone is not enough Red Hat has confirmed that multiple packages published under the @redhat-cloud-services npm namespa...
supply chain attackGitHub breach forces GHES signing-key rotation | 2026 GitHub's May 2026 incident is a useful reminder that developer tooling is now part of the production trust...
supply chain attackGitHub Action tag hijack turns CI/CD runs into credential theft A fresh GitHub Actions supply chain incident is a good reminder that "pinned" does not mean safe...