Mastra npm scope backdoored: 140+ AI-agent packages laced with easy-day-js dropper
A dormant contributor's never-revoked publish access let an attacker re-publish the entire @mastra/* scope in 88 minutes, riding a typosquatted dayjs clone into every CI runner that ran npm install.
Between roughly 01:15 and 02:36 UTC on June 17, an attacker republished the entire @mastra/* npm scope, pushing more than 140 malicious versions across 88 minutes and dropping a postinstall infostealer into every CI runner that resolved @mastra/core (918,000 weekly downloads) during that window. The vector wasn’t a zero-day. It was an old contributor account that npm and Mastra had both forgotten to revoke.
Socket’s writeup names the account: ehindero, a former Mastra contributor whose publish rights had quietly survived their tenure. The republished tarballs were byte-for-byte identical to legitimate releases, with one addition to each manifest: a ^1.11.21 caret pin on easy-day-js.
That dependency had been pre-staged. On June 16 at 07:05 UTC, an npm user sergey2016 published easy-day-js@1.11.21 as a clean clone of dayjs, mirroring its version scheme, author metadata, repo URL and keywords. StepSecurity’s timeline shows the weaponized 1.11.22, carrying the postinstall dropper, going up at 01:01 UTC on June 17. Eleven minutes later, the first poisoned @mastra package shipped.
Socket recovered the second stage: a cross-platform infostealer that scrapes browser history, drains data from 160+ crypto-wallet extensions, installs persistence on Windows, macOS and Linux, and exfiltrates to 23.254.164[.]123. Both stages set NODE_TLS_REJECT_UNAUTHORIZED=0 to tolerate self-signed C2 certificates.
Mastra became aware at 8:45pm PT and filed issue #18061. npm restored access at 10:15pm PT, after which the team unpublished 110 versions, deprecated six that couldn’t be unpublished (including @mastra/react@1.0.1 and @mastra/mem0@0.1.14), killed token-based publishing, and mandated MFA scope-wide.
SafeDep’s read is the cleanest. Every legitimate Mastra release ships through npm’s trusted-publisher flow with SLSA provenance. The attacker’s pushes carried none. A consumer-side policy requiring attestations at install time would’ve rejected the whole wave. The capability exists. It’s, scope by scope, still optional.
Sources
- https://github.com/mastra-ai/mastra/issues/18061
- https://thehackernews.com/2026/06/144-mastra-npm-packages-compromised-via.html
- https://www.healthcareinfosecurity.com/mastra-ai-framework-poisoned-in-npm-supply-chain-attack-a-32003
- https://socket.dev/blog/mastra-npm-packages-compromised
- https://www.stepsecurity.io/blog/mastra-npm-packages-compromised-using-easy-day-js