Mastra npm Supply Chain Attack
ConfirmedDiscovered Jun 17, 2026
On 2026-06-17, public reporting described an @mastra package-scope compromise that pushed easy-day-js as a malicious dependency across 140+ packages, executed a setup.cjs postinstall dropper, and exposed more than 1.1 million weekly downloads to second-stage credential theft and remote code execution behavior.
1
Affected Packages
7
Observables
4
Sources
Timeline
| Date | Event | Description | Source |
|---|---|---|---|
| Jun 17, 2026 | Fresh source review | Reviewed direct and primary sources for the last-two-weeks supply-chain refresh; this preview intentionally excludes older Halting Problems article data. | Primary research |
Affected Software
| Package | Ecosystem | Version Range | Status | Confidence | Source |
|---|---|---|---|---|---|
| No rows match the active filters. | |||||
IOC Clipboard
7 IOCsdomain
setup.cjsdomain
yarn.lockdomain
bun.lockurl
https://23.254.164.92:8000/update/49890878ip
23.254.164.92ip
23.254.164.123hash
221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badfProvenance & Sources
| Source | Type | Reliability | Claims | Evidence |
|---|---|---|---|---|
| Primary research | primary research | 95% | 1 | https://www.stepsecurity.io/blog/mastra-npm-packages-compromised-using-easy-day-js |
| Primary research | primary research | 95% | 1 | https://snyk.io/blog/a-forgotten-contributor-account-compromised-the-entire-mastra-npm-package-scope/ |
| Primary research | primary research | 95% | 1 | https://github.com/mastra-ai/mastra/issues/18045 |
| Primary research | primary research | 95% | 1 | https://registry.npmjs.org/@mastra%2Fcore |