supply-chain npm-security malware dependency-injection incident-response

Mastra scope takeover injects stealer across 142 packages

A revoked maintainer credential republished the entire @mastra npm scope with a postinstall dropper that disables TLS validation, fetches a second-stage payload, and exfiltrates cryptocurrency wallets and credentials.

Summary

If you ran npm install on any @mastra package after June 17, 2026, your build environment and developer machines are credential and wallet exposure events. Lockfiles are the deciding factor—regenerated or absent lockfiles pulled the armed easy-day-js@1.11.22.

Why it matters

Implementation verdict

Audit your node_modules and lockfiles immediately for easy-day-js (it should never legitimately appear). If present, treat the host as compromised: rotate credentials, check browser wallet extensions, and scan for persistence artifacts (LaunchAgent on macOS, systemd service on Linux, PowerShell staging on Windows). Upgrade @mastra packages to versions forward-rolled after June 17, 2026. This is active supply chain incident, not a source-code vulnerability—npm publish hygiene (not zero-day) is the root cause. Do this now.

Sources

1.entire @mastra scope, republished on June 17, 2026
2.@mastra/core alone pulls about 4 million downloads a month
3.essentially the entire scope was hit
4.Disables TLS certificate validation by setting NODE_TLS_REJECT_UNAUTHORIZED='0'
5.reads Chrome, Brave, and Edge profiles looking for a hardcoded list of cryptocurrency wallet browser extensions
6.The foothold was a stale maintainer credential
7.npm does not expire scope publish permissions on inactivity
8.The payload executes at install time, CI runners, ephemeral build agents, and developer laptops are all in scope

Dev Signal

Get briefs like this in your inbox — free, 3x a week.

100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.

Read the full issue →All briefs