Mastra npm Supply Chain Attack Poisons 140+ AI Packages
Attackers infected more than 140 packages from the Mastra AI ecosystem through npm. The malicious code ran right after npm install or npm update. So the infection could reach developer workstations and build servers, even when the package was never imported into application code. Microsoft reported the campaign.
How the Attackers Got In
The attackers gained access to the npm account of a developer named ehindero. That account had rights to publish updates in the mastra and @mastra namespaces. Through the hijacked account, they released poisoned versions of the packages. Each one added a dependency on easy-day-js@^1.11.21. Every malicious release was tagged latest, so npm picked it automatically on install.
How the Anomaly Surfaced
The publishing history gave the attack away. Versions of mastra up to 1.13.0 shipped through GitHub Actions with build provenance checks. By contrast, mastra 1.13.1 was published by hand from an anonymous email service. Nothing in the Mastra repository explained the new dependency. You can read Microsoft’s full technical breakdown for the timeline.
The easy-day-js Typosquat
The easy-day-js package posed as the popular dayjs library. That real library sees more than 57 million weekly downloads. The authors copied its description, repository link, and the real developer’s name. The first version, easy-day-js 1.11.21, shipped clean on June 16. Then, on June 17, they released 1.11.22. The library code stayed the same. However, they added a postinstall handler to package.json that ran a hidden script, setup.cjs.
What the Malware Did
After install, the script disabled TLS certificate checks. It created service files in the system temp folder and downloaded a second stage from a command server. The fetched code was saved under a random name. It then ran as a separate hidden Node.js process and waited for new commands. From there, the attackers could run arbitrary code, change settings, or shut down the implant.
Cross-Platform Persistence
On Windows, macOS, and Linux, the malware dug in and posed as Node.js and NVM components. On Windows, it used an autostart entry. On macOS, it created a LaunchAgent. On Linux, it added a user systemd service. The program collected the computer name, user details, installed apps, and running processes. It also grabbed browser history. Then it hunted for crypto wallet extensions in Chrome, Edge, and Brave. The target list held 166 wallet identifiers, including MetaMask, Phantom, Coinbase Wallet, and Binance Wallet.
A SYSTEM-Level PowerShell Backdoor
On some infected Windows machines, Microsoft saw a PowerShell backdoor pulled from separate infrastructure. The backdoor erased PowerShell history. It added an exclusion for Microsoft Defender and installed a service with SYSTEM rights. Microsoft linked the campaign with high confidence to the North Korean group Sapphire Sleet. That group most often targets financial organizations.
Response and Mitigation
Microsoft shared its findings with the npm security team. The infected versions were removed from the registry. The attacker also lost publish rights in the @mastra namespace. Developers should check package-lock.json, node_modules, and CI/CD logs for easy-day-js. Rotate tokens, passwords, and API keys from any potentially infected machines. Review outbound connections to the command-server addresses too.
Microsoft lists mastra 1.13.0 and earlier as safe. It also lists @mastra/core 1.42.0 and earlier as safe. When auditing dependencies, you can run installs with the –ignore-scripts flag. That stops npm from executing postinstall handlers.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
