

























Socket has detected a malicious npm supply chain campaign involving compromised @mastra/* packages published under the Mastra namespace. A single npm account (ehindero) mass-published more than 140 malicious packages across the Mastra scope within a short window on 2026-06-17.
The compromised package versions themselves contain unmodified code; the attack is delivered through an injected dependency, a typosquatted package named easy-day-js added to each package's dependency list. easy-day-js carries an obfuscated payload in a postinstall install hook, meaning the malware runs automatically during npm install (before a developer imports or uses the package) and rides into any project that pulls in one of the compromised Mastra packages. The loader disables TLS certificate validation, fetches a second-stage payload from attacker-controlled infrastructure over TLS, executes it as a detached background process, and deletes itself to limit forensic traces. Socket recovered and analyzed that second stage: a cross-platform infostealer that steals browser history and the stored data of over 160 cryptocurrency wallet browser extensions, and installs persistence across Windows, macOS, and Linux before exfiltrating to the operators' C2 servers.
The affected packages include @mastra/core, which receives more than 918K weekly npm downloads, giving this campaign a large potential blast radius. Because the payload executes during installation, systems may be exposed before developers import or use the package. Socket is still analyzing exact impact, but any workstation, CI runner, or build environment that installed the affected versions should be treated as potentially compromised.
Socket's threat research team is continuing to analyze the malware and its potential impact, and will publish full technical details as the investigation progresses. We are also tracking affected packages, versions, and detection details on our public campaign page.
Socket flagged the malicious easy-day-js within six minutes after publication. The package had been uploaded to npm as a clean dependency the day before, then updated later to deliver malware, a pattern reminiscent of the recent axios campaign. Because the affected Mastra packages pulled in that dependency, Socket users were protected automatically, with installs of any of the compromised packages flagged and blocked.
Loading affected packages…
If you installed any of the versions above, treat the host or CI runner that ran the install as compromised. Remove the affected versions, delete node_modules, and reinstall a known-good prior version. Rotate any credentials that may have been exposed during installation, including npm tokens, cloud provider keys, CI/CD secrets, and SSH and Git credentials. Socket customers are protected automatically: installs of these packages are flagged and blocked before the malicious install hook can execute.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。