Executive Summary
A report published by The Hacker News on 17 June 2026 detailed a software supply chain attack impacting 144 npm packages associated with the Mastra ecosystem after threat actors compromised a maintainer account through a phishing attack.
The attackers leveraged the compromised account to publish malicious package versions to the npm registry. According to the report, the malicious code was designed to collect sensitive information from developer environments and transmit data to attacker-controlled infrastructure. The incident highlights the continued targeting of open-source software maintainers as an entry point for software supply chain attacks. Developers and organizations using affected package versions may be at risk of credential exposure and unauthorized access to development environments.
Key Takeaways
- The malicious easy-day-js package executed an obfuscated payload during a post-install hook, functioning as a loader that retrieved a second-stage payload from attacker-controlled infrastructure (23[.]254[.]164[.]192).
- The final-stage malware operated as a cross-platform information stealer capable of harvesting browser history, collecting data from more than 160 cryptocurrency wallet browser extensions, establishing persistence on Windows, macOS, and Linux systems, and exfiltrating stolen data to a command-and-control server (23[.]254[.]164[.]123).
- The malware was capable of polling a command-and-control server for additional instructions, including downloading and executing attacker-supplied modules across Windows, Linux, and macOS systems.
- The attack utilized multiple stealth techniques, including obfuscated post-install loaders, runtime payload downloads, detached execution, self-deletion, persistence mechanisms, and remote module execution capabilities.
- Researchers reported that the threat actors hijacked the “ehindero” account, a legitimate former Mastra contributor whose scope of access had not been revoked.
- Following disclosure of the incident, npm removed the malicious package versions from affected high-profile packages and reverted the latest package tags.
- At the time of this reporting, the article did not attribute the compromise to a specific threat actor or threat group.
IOCs
The JFrog security research team has provided a list of indicators of compromises (IOCs) that can be found here: Affected Mastra Package Versions IOCs
Mitigation Options
The JFrog security research team has provided the following mitigations:
- Stop using affected Mastra package versions published during the incident window and containing the easy-day-js dependency.
- Remove easy-day-js from dependency manifests and lockfiles, then reinstall dependencies from known-good versions.
- Run npm ls easy-day-js in affected repositories and CI workspaces to identify transitive installation.
- If you have installed any of the affected packages, immediately terminate any suspicious active Node.js processes and scan environments for persistent artifacts. You must also rotate all secrets, API keys, and credentials stored on those compromised systems or CI/CD runners to prevent further abuse.
- Install only remediated Mastra versions and prefer versions with expected provenance.
- Treat any machine or CI runner that installed the affected packages as compromised until investigated.
- Block and investigate traffic to 23[.]254[.]164[.]92
- Search for loader artifacts: <os.tmpdir()>/.pkg_history, <os.tmpdir()>/.pkg_logs, and <os.tmpdir()>/<24 hex chars>.js.
- Search for persistence artifacts: ~/Library/NodePackages, ~/Library/LaunchAgents/com.nvm.protocal.plist, ~/.config/systemd/nvmconf, ~/.config/systemd/user/nvmconf.service, C:\ProgramData\NodePackages, and the current-user Windows Run key value NvmProtocal.
- Remove persistence artifacts after forensic collection: delete ~/Library/LaunchAgents/com.nvm.protocal.plist and ~/Library/NodePackages on macOS; disable and remove ~/.config/systemd/user/nvmconf.service, ~/.config/systemd/nvmconf, and ~/.config/NodePackages on Linux; remove C:\ProgramData\NodePackages and the current-user Windows Run key value NvmProtocal on Windows.
- Inspect running Node.js processes, especially detached processes launched from temporary directories or NodePackages paths.
- Rotate all credentials exposed to affected systems, including package registry tokens, source control tokens, CI secrets, cloud credentials, database credentials, LLM API keys, and any cryptocurrency wallet secrets.
