Mastra Supply Chain Attack Compromises 140+ npm Packages

A sweeping Mastra supply chain attack has hit the JavaScript ecosystem hard. Security firm Socket detected the campaign, which compromised more than 140 npm packages under the Mastra namespace. A single account mass-published the malicious releases on June 17th, 2026.

How the Attack Works

Interestingly, the Mastra package code itself stayed clean. Instead, “the attack is delivered through an injected dependency.” That dependency is a typosquatted package named easy-day-js, slipped into each package’s dependency list.

The malware hides inside a postinstall hook. As Socket explained, “the malware runs automatically during npm install.” Therefore, a developer does not even need to import the package to get infected.

Once triggered, the loader disables TLS certificate validation. Next, it fetches a second-stage payload, runs it as a detached background process, and deletes itself to hide its tracks.

A Cross-Platform Infostealer

The recovered second stage is a powerful infostealer. Notably, it steals browser history and raids the stored data of over 160 cryptocurrency wallet extensions.

Moreover, it installs persistence across Windows, macOS, and Linux. Stolen data then flows out to the operators’ command-and-control servers.

This Mastra supply chain attack carries real reach. The affected @mastra/core package alone draws more than 918,000 weekly downloads. Because the payload fires during installation, any host that ran the install “should be treated as potentially compromised.”

Fast Detection and Cleanup

There is some good news here. Socket flagged the malicious easy-day-js within six minutes of publication, and it automatically blocked installs for protected users.

If you pulled in an affected version, act quickly. First, remove the bad versions and delete node_modules. Then reinstall a known-good prior release.

Crucially, rotate every exposed secret, including npm tokens, cloud keys, CI/CD secrets, and SSH credentials. For the full indicator list and updates, read Socket’s detailed Mastra campaign analysis.

In short, this Mastra supply chain attack shows how one poisoned dependency can endanger thousands of builds.