A massive supply chain attack has hit the Mastra AI framework. One hundred and forty-five npm packages under the @mastra/* namespace were compromised after attackers hijacked a contributor’s account.
The attack, codenamed easy-day-js, was first flagged by multiple security firms including Socket, JFrog, and Synk. A single npm account mass-published over 140 malicious packages in just 88 minutes on June 17th.
Here’s the trick: the packages themselves looked clean. The malware came through a dependency called easy-day-js — a clone of the popular dayjs date library. That dependency ran a postinstall hook that downloaded a cryptocurrency-stealing remote access trojan onto the victim’s machine.
The stealer could harvest browser history, pull data from over 160 crypto wallet extensions, install persistence across Windows, macOS and Linux, and phone home to a command-and-control server.
If you’ve installed any @mastra/* packages recently, check your environment. Even removing the first-stage package might not help — the second-stage process could still be running with persistence already installed.
