step-security · Crawled Jul 5, 2026
Secure Registry now tells you which machine pulled a compromised package
3 IoCs
Read original article ↗
AI Summary
On June 17, 2026, an attacker compromised the @mastra npm organization and introduced a typosquatted package, easy-day-js, into over 140 packages in the Mastra AI framework ecosystem. The malicious package executed an obfuscated postinstall dropper that retrieved a second-stage payload from an attacker-controlled server before deleting itself. This supply chain attack exposed more than 1.1 million weekly downloads, highlighting the need for rapid incident response and source attribution to determine affected systems.
AI-extracted · verify before operational use