Mastra npm Supply Chain Attack Backdoors 144 Packages
Key insights
- The compromised 'ehindero' account had been dormant 16 months; npm's absence of credential expiration made it a persistent, silent attack surface.
- Attackers staged the operation by publishing a clean easy-day-js on June 16, then flipping to the malicious version minutes before the June 17 scope-wide republish.
- The malware targeted 166 cryptocurrency wallet browser extensions, matching Sapphire Sleet's documented mandate of crypto-focused financial theft.
Why this matters
Summary
Potential risks and opportunities
Risks
- Developers who installed any of the 144 @mastra packages during the 88-minute publication window may have persistent information-stealing malware with live C2 connectivity active across Windows, macOS, and Linux systems
- Organizations building AI applications on Mastra face potential exfiltration of environment secrets and API keys, which could expose downstream AI pipelines, model endpoints, and production infrastructure
- The 160+ cryptocurrency wallet extensions targeted by the stealer put individual developers at direct financial risk if crypto credentials were harvested before packages were removed
Opportunities
- npm package security vendors (Socket.dev, Phylum, Snyk) can demonstrate real-time postinstall hook detection as a differentiated capability following this high-visibility attack on a major AI framework
- Mastra maintainers have grounds to implement mandatory MFA and automated scope-access revocation, potentially establishing a contributor offboarding model for AI-adjacent open-source projects
- Enterprises procuring AI development tooling now have a concrete incident to justify requiring software composition analysis with install-time sandboxing as a vendor security baseline in procurement
What we don't know yet
- Whether npm's security team removed all 144 malicious packages and how long the exposure window lasted between the 88-minute publication window and public takedown on June 17, 2026
- How many of the 918,000+ weekly @mastra/core installers ran affected versions, and whether Mastra or npm has confirmed any credential exfiltrations or active infections
- Attribution behind the hijack of the "ehindero" account remains unconfirmed, with no threat actor, ransomware group, or nation-state link identified in public reporting
What others are reporting
-
Snyk Read →
Forensic breakdown of the attack mechanics: caret-range dependency trick, TLS-bypass dropper, persistence across three OS platforms, and Mastra's same-day remediation timeline with pull request numbers.
npm does not expire scope publish permissions on inactivity, so one stale maintainer credential was enough to push to every package in the scope.
-
Orca Security Read →
Remediation-focused guide with OS-specific persistence artifact locations and risk prioritization by internet accessibility and runtime reachability.
Attackers harvested browser data from Chrome, Edge, and Brave and extracted credentials from 166 cryptocurrency wallet extensions.
-
Phoenix Security Read →
Deepest technical forensics: three-layer obfuscation mechanics, 16-month account dormancy window, and the zero-CVE detection gap documented across 60 supply chain campaigns since June 2024.
The attack did not touch Mastra's source code; the payload hid inside easy-day-js, a typosquatted copy of the legitimate dayjs date library.
-
StepSecurity Read →
Demonstrates real-time attack blocking via Harden Runner in a controlled GitHub Actions environment, with C2 IP identified (23.254.164.92:8000) and the full 88-minute attack timeline reconstructed.
If you installed any @mastra package today, treat your environment as compromised.
-
SafeDep Read →
Documents the SLSA provenance attestation gap: npm generated provenance for legitimate releases without requiring it, so attacker-signed versions bypassed signature verification entirely.
The attacker laid the groundwork a day earlier: on June 16 they published the clean easy-day-js, then flipped on the malicious version minutes before the scope-wide republish.
Originally reported by thehackernews.com
Read the original article →Original headline: 144 Mastra AI Framework npm Packages Backdoored via Hijacked Contributor Account — 1.1M Weekly Downloads Exposed to Info-Stealing Dropper