step-security · Crawled Jul 5, 2026

Secure Registry now tells you which machine pulled a compromised package

3 IoCs
Read original article ↗

AI Summary

On June 17, 2026, an attacker compromised the @mastra npm organization and introduced a typosquatted package, easy-day-js, into over 140 packages in the Mastra AI framework ecosystem. The malicious package executed an obfuscated postinstall dropper that retrieved a second-stage payload from an attacker-controlled server before deleting itself. This supply chain attack exposed more than 1.1 million weekly downloads, highlighting the need for rapid incident response and source attribution to determine affected systems.

AI-extracted · verify before operational use

Indicators of Compromise 3 extracted

Type Value Detail
Package easy-day-js Details →
GitHub Repo codfish/semantic-release-action Details →
GitHub Repo simonecorsi/mawesome Details →