2w ago · step-security
On June 17, 2026, a supply chain attack compromised the @mastra npm organization, resulting in 140+ packages being backdoored through the malicious dependency easy-day-js@1.11.22. This package, a typosquat of the legitimate 'dayjs' library, contained an obfuscated postinstall dropper that fetched and executed a second-stage payload from attacker-controlled infrastructure. The attack targeted high-value AI development environments, aiming to harvest sensitive credentials such as API keys and cloud tokens, with over 1.1 million weekly downloads exposed.