The “easy-day-js” Supply Chain Attack: Over 140 Mastra AI Packages Poisoned on npm

The rapidly expanding landscape of Artificial Intelligence has made AI development frameworks a lucrative target for cybercriminals. In a striking reminder of the fragility of the open-source software supply chain, a highly coordinated supply chain attack codenamed “easy-day-js” was uncovered, targeting Mastra—a popular open-source JavaScript and TypeScript framework used for building autonomous AI agents and Retrieval-Augmented Generation (RAG) pipelines.

Cloudsmith+ 1

On June 17, 2026, security researchers observed an attacker compromise the @mastra npm organization and mass-publish 144 malicious package versions within a tight 88-minute window.

Here is a breakdown of how the attack unfolded, why it slipped past early defenses, and what you need to do immediately if your development environment or CI/CD pipelines are exposed.

How the Attack Unfolded: A Multi-Stage Blueprint

The threat actors behind the “easy-day-js” campaign (closely resembling tactics from the Axios ecosystem compromise earlier this year) did not alter Mastra’s actual source code repositories on GitHub. Instead, they poisoned the compilation downstream directly at the package registry level using a two-pronged approach.

Phoenix Security

1. The Dormant Foothold (Account Takeover)

The entry point for the attack was a classic failure in identity lifecycle management. The attackers gained control of the npm account ehindero, a legitimate former Mastra contributor. Although this contributor had been inactive since early 2025, their publishing permissions across the @mastra/* namespace were never revoked. Using these stale credentials, an automated script was triggered to rapidly overwrite 144 Mastra packages (including @mastra/core, mastra, and create-mastra).

2. The Clean Bait and Caret Trick

A separate attacker-controlled account (sergey2016) pre-positioned a package named easy-day-js on June 16, 2026.

The Bait: Version 1.11.21 was a byte-for-byte replica of the highly popular legitimate utility library dayjs, meticulously mirroring its metadata, MIT license, and structure to pass code review.
The Injection: When the attackers hijacked the Mastra registry scope on June 17, they added exactly one line to the package.json files of the 144 packages: "easy-day-js": "^1.11.21".
The Switch: Right as the Mastra packages were mass-published, the attacker pushed version 1.11.22 of easy-day-js to npm. Because npm resolves caret ranges (^) by automatically pulling the highest matching version, any fresh npm install instantly fetched the malicious 1.11.22 update, completely bypassing lockfile protections for new builds.

Technical Impact: Postinstall Execution & The Remote Payload

Because Mastra routinely handles highly sensitive data—including LLM provider API keys, vector database connections, and cloud provider credentials—the payload was engineered to move swiftly and covertly.

Phoenix Security

The exploit relies entirely on a postinstall hook. When a developer or automated CI/CD pipeline triggers an installation, the package executes an obfuscated script named setup.cjs before any code is explicitly imported.

				
					[Mastra npm Install] 
       │
       ▼
[Pulls easy-day-js^1.11.21] ──► [Resolves to Malicious v1.11.22]
                                         │
                                         ▼
                               [Fires postinstall hook]
                                         │
                                         ▼
                               [Executes setup.cjs] ──► [Downloads Cross-Platform RAT]

The Payload Capabilities:

Evasion: The script disables TLS certificate verification (NODE_TLS_REJECT_UNAUTHORIZED = '0') to slip past security proxies, executes as a detached background process, and immediately deletes its installer files to scrub forensic trails.
The RAT: It drops a cross-platform Remote Access Trojan (RAT) that establishes persistent access across Windows, macOS, and Linux systems.
Aikido Security
Exfiltration: The final stage inventories over 160 cryptocurrency wallet browser extensions, harvests local browser history (Chrome, Brave, Edge), and opens a backchannel to attacker-controlled command-and-control (C2) servers (targeting infrastructure on the 23.254.164.0/24 network).

Indicators of Compromise (IoCs) & Detection

If you ran an npm install or executed a deployment pipeline involving Mastra on June 17, 2026, you must audit your environments immediately.

Quick Terminal Audit

Run the following commands to check if the malicious dependency breached your project tree:

				
					npm ls easy-day-js
grep -r "easy-day-js" package-lock.json yarn.lock pnpm-lock.yaml 2>/dev/null

System-Level Artifacts to Hunt For

macOS Persistence: ~/Library/LaunchAgents/com.nvm.protocal.plist
Linux Persistence: ~/.config/systemd/user/nvmconf.service
Windows Directory: C:\ProgramData\NodePackages
Network Logs: Outbound traffic attempting connections to 23.254.164.92:8000 or 23.254.164.123

Remediation and Mitigation

The Mastra maintainers acted swiftly once alerted, removing the compromised contributor token, opening emergency clean changesets, and forward-rolling clean versions. The current latest tag of @mastra/core (version 1.42.0) is safe.

Snyk

CRITICAL ACTION ITEM: If your environment was exposed to version 1.11.22 of easy-day-js, treat the host machine as completely compromised. >
Snyk
Isolate the affected machine or CI runner.
Rotate all secrets that were present on that system, including GitHub tokens, cloud provider credentials, and OpenAI/Anthropic/Google API keys. Do not rotate them from the infected machine.
Snyk

BankInfoSecurity+ 1

Moving forward, development teams working in the AI ecosystem should consider implementing strict package-lock verification policies, pinning dependencies to exact hashes rather than flexible ranges, and utilizing upstream registry proxies with built-in cooldown windows to buffer zero-day software supply chain threats.