step-security · Crawled Jul 5, 2026
Mastra npm Supply Chain Attack: 140+ Packages Backdoored via easy-day-js Typosquat
11 IoCs
Read original article ↗
AI Summary
On June 17, 2026, a supply chain attack compromised the @mastra npm organization, resulting in 140+ packages being backdoored through the malicious dependency easy-day-js@1.11.22. This package, a typosquat of the legitimate 'dayjs' library, contained an obfuscated postinstall dropper that fetched and executed a second-stage payload from attacker-controlled infrastructure. The attack targeted high-value AI development environments, aiming to harvest sensitive credentials such as API keys and cloud tokens, with over 1.1 million weekly downloads exposed.
AI-extracted · verify before operational use
Indicators of Compromise 11 extracted
| Type | Value | Detail |
|---|---|---|
| Package | easy-day-js@1.11.22 | Details → |
| Package | easy-day-js@1.11.21 | Details → |
| GitHub User | sergey2016 | Details → |
| Filename | setup.cjs | Details → |
| IP | 23.254.164.92 | Details → |
| IP | 23.254.164.123 | Details → |
| Filename | .pkg_history | Details → |
| Filename | .pkg_logs | Details → |
| Filename | <24-hex-chars>.js | Details → |
| Registry User | sergey2016 | Details → |
| GitHub User | iamkun | Details → |