thehackernews.com web signal

Mastra npm Supply Chain Attack Backdoors 144 Packages

6 sources tracking this story
agents cybersecurity open source ai-supply-chain npm-security malware

Key insights

  • The compromised 'ehindero' account had been dormant 16 months; npm's absence of credential expiration made it a persistent, silent attack surface.
  • Attackers staged the operation by publishing a clean easy-day-js on June 16, then flipping to the malicious version minutes before the June 17 scope-wide republish.
  • The malware targeted 166 cryptocurrency wallet browser extensions, matching Sapphire Sleet's documented mandate of crypto-focused financial theft.

Why this matters

Snyk and Orca attribute the payload tradecraft to Sapphire Sleet (BlueNoroff), a North Korean APT with a documented mandate of cryptocurrency theft through developer-targeting supply chain operations, placing this attack inside a nation-state campaign against AI tooling specifically. The 88-minute operation exploited compounding npm structural failures: the registry's absence of credential expiration gave the attacker a 16-month-dormant account as a persistent entry point, and caret-range dependency resolution auto-upgraded consumers to the weaponized easy-day-js without any change to Mastra's own source repository. SafeDep adds a third failure: npm's trusted publisher flow generated provenance attestations for legitimate Mastra releases without requiring them, so the attacker's personally-tokenized versions passed through with no signature check. StepSecurity's controlled GitHub Actions test confirms behavioral monitoring intercepted the C2 callout in real time, a capability class that static CVE-based scanners structurally cannot provide given the zero-CVE pattern Phoenix Security documents across 60 campaigns since June 2024.

Summary

144 @mastra npm packages were backdoored on June 17, 2026 via a hijacked contributor account, hitting the Mastra open-source AI framework for JavaScript and TypeScript developers. Attackers compromised "ehindero," a former contributor whose scope access was never revoked, then published over 140 malicious packages in just 88 minutes. The malware was not embedded directly in the packages but in "easy-day-js," a fake clone of the legitimate dayjs date library, which fires via a postinstall hook to drop a cross-platform information stealer across Windows, macOS, and Linux. Essentially: (Mastra, npm) show how one unrevoked contributor account turns a trusted package namespace into a ready-made attack vector. - Stealer targets 160+ cryptocurrency wallet extensions plus browser history and credentials - @mastra/core alone draws over 918,000 weekly downloads, giving the campaign a large potential blast radius - Payload executes at install time, before any package is imported, bypassing developer-side inspection For AI teams building on npm, postinstall hooks are now an active exploit surface that access revocation policies, not just code review, must address.

Potential risks and opportunities

Risks

  • Developers who installed any of the 144 @mastra packages during the 88-minute publication window may have persistent information-stealing malware with live C2 connectivity active across Windows, macOS, and Linux systems
  • Organizations building AI applications on Mastra face potential exfiltration of environment secrets and API keys, which could expose downstream AI pipelines, model endpoints, and production infrastructure
  • The 160+ cryptocurrency wallet extensions targeted by the stealer put individual developers at direct financial risk if crypto credentials were harvested before packages were removed

Opportunities

  • npm package security vendors (Socket.dev, Phylum, Snyk) can demonstrate real-time postinstall hook detection as a differentiated capability following this high-visibility attack on a major AI framework
  • Mastra maintainers have grounds to implement mandatory MFA and automated scope-access revocation, potentially establishing a contributor offboarding model for AI-adjacent open-source projects
  • Enterprises procuring AI development tooling now have a concrete incident to justify requiring software composition analysis with install-time sandboxing as a vendor security baseline in procurement

What we don't know yet

  • Whether npm's security team removed all 144 malicious packages and how long the exposure window lasted between the 88-minute publication window and public takedown on June 17, 2026
  • How many of the 918,000+ weekly @mastra/core installers ran affected versions, and whether Mastra or npm has confirmed any credential exfiltrations or active infections
  • Attribution behind the hijack of the "ehindero" account remains unconfirmed, with no threat actor, ransomware group, or nation-state link identified in public reporting

What others are reporting

Coverage cluster as of 24h after publish

  1. Forensic breakdown of the attack mechanics: caret-range dependency trick, TLS-bypass dropper, persistence across three OS platforms, and Mastra's same-day remediation timeline with pull request numbers.

    npm does not expire scope publish permissions on inactivity, so one stale maintainer credential was enough to push to every package in the scope.
  2. Orca Security Read →

    Remediation-focused guide with OS-specific persistence artifact locations and risk prioritization by internet accessibility and runtime reachability.

    Attackers harvested browser data from Chrome, Edge, and Brave and extracted credentials from 166 cryptocurrency wallet extensions.
  3. Phoenix Security Read →

    Deepest technical forensics: three-layer obfuscation mechanics, 16-month account dormancy window, and the zero-CVE detection gap documented across 60 supply chain campaigns since June 2024.

    The attack did not touch Mastra's source code; the payload hid inside easy-day-js, a typosquatted copy of the legitimate dayjs date library.
  4. StepSecurity Read →

    Demonstrates real-time attack blocking via Harden Runner in a controlled GitHub Actions environment, with C2 IP identified (23.254.164.92:8000) and the full 88-minute attack timeline reconstructed.

    If you installed any @mastra package today, treat your environment as compromised.
  5. SafeDep Read →

    Documents the SLSA provenance attestation gap: npm generated provenance for legitimate releases without requiring it, so attacker-signed versions bypassed signature verification entirely.

    The attacker laid the groundwork a day earlier: on June 16 they published the clean easy-day-js, then flipped on the malicious version minutes before the scope-wide republish.