144 Mastra npm Packages Backdoored in 88-Minute Supply Chain Attack

Security researchers at Socket have disclosed a supply chain attack that compromised 144 packages in the @mastra npm namespace on June 17, 2026. The attacker hijacked a contributor account with publishing rights to the Mastra AI agent framework, then ran an automated campaign over 88 minutes that republished every affected package with a malicious typosquatted dependency injected as a production requirement. Any developer, CI runner, or build system that installed a @mastra/* package after June 16 should treat that environment as potentially compromised, according to Socket's analysis.

Mastra is a TypeScript framework for building AI agents, and its core package (@mastra/core) receives more than 918,000 weekly downloads. The breadth of the attack — 144 packages across the entire namespace, not just a single high-value target — means that developers installing any part of the Mastra ecosystem during the attack window were exposed.

How the Attack Worked

The attacker did not modify Mastra's code directly. Instead, they added a dependency called easy-day-js to each republished package. The name is a deliberate typosquat of the widely-used dayjs date library — close enough that automated dependency scanning might overlook it.

The malicious easy-day-js package contained a postinstall hook — a script that npm executes automatically during npm install, before a developer imports or runs any code from the package. That hook downloaded and executed a two-stage payload:

• Stage 1 (setup.cjs): An obfuscated loader that disabled TLS certificate verification, connected to attacker infrastructure at 23.254.164[.]92:8000, downloaded the second-stage payload, launched it as a detached background process, and then deleted itself to erase traces.
• Stage 2 (protocal.cjs): A ~41KB cross-platform infostealer with persistence mechanisms for Windows (Run registry key), macOS (LaunchAgent), and Linux (systemd unit). The implant inventoried 166 cryptocurrency wallet browser extensions, harvested browser history from Chrome, Edge, and Brave, and opened a command-and-control channel capable of executing arbitrary follow-on code.

The attack window ran from 01:12 to 02:39 UTC on June 17. Npm's audit logs show that a single account — ehindero, a contributor whose publishing access to the @mastra scope was never revoked — published all 142 malicious package versions within those 88 minutes. Microsoft's security team also identified and reported the attack, according to additional reporting.

Who Is at Risk

Any system that ran npm install with a @mastra/* dependency between June 16 and when the malicious versions were pulled represents a potential compromise. This includes developer laptops, CI/CD pipeline runners, Docker build systems, and cloud build environments. Because the payload executes during install via a postinstall hook — not at application runtime — even systems that did not run the application are affected if they ran npm install.

Remediation Steps

Socket and other security researchers recommend treating any affected system as fully compromised. Specific actions:

• Remove persistence: delete Windows Run registry entries, macOS LaunchAgent plists, and Linux systemd units associated with the implant
• Rotate all credentials that existed on affected machines: npm tokens, cloud provider credentials (AWS, GCP, Azure), SSH keys, and API keys
• Rotate cryptocurrency wallets on a clean, unaffected device — the implant specifically targeted 166 browser wallet extensions
• Audit CI/CD pipelines for signs of unauthorized access or exfiltrated secrets

For future protection, Socket recommends adding --ignore-scripts to npm install commands in CI pipelines to disable postinstall hooks by default — a straightforward mitigation that would have blocked this specific attack vector entirely.

The @mastra organization has removed the malicious package versions from npm. Developers should update to clean versions and verify that easy-day-js does not appear in any node_modules directory or lock file.