144 npm packages associated with the Mastra namespace (“@mastra/*”), an open source JavaScript and TypeScript framework for building artificial intelligence (AI) applications, have been compromised as part of a code-named software attack. simple day-jswith findings from JFrog, SafeDep, Socket, and StepSecurity.
“A single npm account (ehindero) published a total of more than 140 malicious packages to the entire Mastra environment in a short window on 2026-06-17,” Socket said.
The infected packages themselves do not contain malicious code. Instead, it is introduced via a third-party library called “easy-day-js” that is added to each package’s dependency list. The JavaScript library was published by npm user “sergey2016” on June 16, 2026, at 7:05 am UTC as a clean, fully functional copy, with malicious changes introduced on June 17, 2026, at 1:01 am UTC.
The “easy-day-js” package presents an obfuscated payload that is fired during hook installation, acting as a dropper or loader for a second-stage payload received from an attacker-controlled infrastructure (“23.254.164[.]92”) after disabling TLS certificate verification.
The payload is then used as a separate background process, after which the uploader takes steps to wipe itself to minimize the forensic trail.
The last category is a multi-platform phishing that can harvest browser history, store data from more than 160 crypto wallet browser extensions, install persistence across Windows, macOS, and Linux, and export captured information to the C2 server (“23.254.164)[.]123”).
In its analysis, SafeDep described “easy-day-js” as part of the “dayjs” date library that downloads and executes a cryptocurrency-stealing remote access trojan. The attackers behind the campaign are said to have hijacked the account of “ehindero”, who was an official Mastra donor whose access was not revoked. Npm has removed malicious versions of high-profile packages and reverted their latest tag.
 |
| Image Source: StepSecurity |
“Mastra sends its original releases from CI through a trusted npm publisher flow, and each carries SLSA credentials,” SafeDep said. “The attacker pushed malicious versions from the private token and crashed the base.”
“The same fingerprint repeats throughout the scope. Mastra generated provenance on CI publishes but didn’t require it, so a standard npm token can still publish without proof. Adding signature verification (npm test signatures, or a policy that requires proof) would have rejected every package in this wave.”
Any workstation, CI runner, or build environment that has installed the affected versions should be considered potentially vulnerable. It is recommended that you roll back to a safe version, rotate any credentials, and check the hosts for any artifacts linked to the campaign.
“Affected packages include @mastra/core, which receives more than 918K npm downloads, giving this campaign a lot of room to explode,” Socket said. “Because the payload runs during installation, systems can be exposed before developers install or deploy the package.”
