step-security · Crawled Jul 5, 2026

Mastra npm Supply Chain Attack: 140+ Packages Backdoored via easy-day-js Typosquat

11 IoCs
Read original article ↗

AI Summary

On June 17, 2026, a supply chain attack compromised the @mastra npm organization, resulting in 140+ packages being backdoored through the malicious dependency easy-day-js@1.11.22. This package, a typosquat of the legitimate 'dayjs' library, contained an obfuscated postinstall dropper that fetched and executed a second-stage payload from attacker-controlled infrastructure. The attack targeted high-value AI development environments, aiming to harvest sensitive credentials such as API keys and cloud tokens, with over 1.1 million weekly downloads exposed.

AI-extracted · verify before operational use

Indicators of Compromise 11 extracted

Type Value Detail
Package easy-day-js@1.11.22 Details →
Package easy-day-js@1.11.21 Details →
GitHub User sergey2016 Details →
Filename setup.cjs Details →
IP 23.254.164.92 Details →
IP 23.254.164.123 Details →
Filename .pkg_history Details →
Filename .pkg_logs Details →
Filename <24-hex-chars>.js Details →
Registry User sergey2016 Details →
GitHub User iamkun Details →