Angreifer republizieren 140+ Pakete des Mastra-Frameworks mit Malware über ein verlassenes npm-Konto

Between 01:12 and 02:36 UTC on Wednesday (17), attackers republished 141 packages of the @mastra scope on npm with a single malicious dependency, easy-day-js, according to research by Snyk published hours later. The target is the open source framework Mastra, one of the most widely used for building agents in JavaScript and TypeScript, whose core package, @mastra/core, accounts for approximately 4 million downloads per month. This combination makes it the largest publicly known incident of npm scope compromise in 2026, directly impacting the pipeline of enterprise AI applications.

The access vector was not a technical vulnerability. The attacker used the account "ehindero" of a former contributor whose access to the @mastra scope was never revoked. In a window of 84 minutes, the account published new versions in series, all pointing to easy-day-js as a dependency. The name is a typosquat of dayjs, one of the most downloaded date libraries in the JavaScript ecosystem, and was carefully crafted: on the eve of June 16, the criminals published easy-day-js@1.11.21 as a byte-for-byte copy of the original dayjs; on June 17, they uploaded version 1.11.22, now with payload.

Was der Payload macht

The Snyk analysis describes the step-by-step process. When the package is installed, a postinstall hook disables TLS verification, downloads a second stage from a raw IP controlled by the attackers, executes the binary in the background, and removes local indicators. The binary runs on Windows, macOS, and Linux, exfiltrates credentials from cryptocurrency wallets, browser tokens, SSH keys, and typical environment variables from CI pipelines. On developer workstations that sync corporate tokens via Git, the effect is direct: access to private repositories and provisioning secrets in the cloud.

Orca Security registers 144 affected packages; Snyk and Cloudsmith count 141 and 142, respectively, with the difference explained by subsequent publications that were cleaned by the Mastra team still during the morning. Snyk recommends that any workstation, CI runner, or build server that installed @mastra packages after June 16 be treated as compromised.

Die Zuweisung, die noch nicht bestätigt ist

Snyk and Orca indicate that the tradecraft is consistent with the Sapphire Sleet group (BlueNoroff), a North Korean unit linked to the theft of crypto assets and previous campaigns against developers via poisoned packages on npm and PyPI. Snyk itself, however, warns that "the specific attribution of this incident is not confirmed" and that other cells may be copying the playbook. Microsoft Threat Intelligence has already attributed similar campaigns to the same North Korean cluster in previous compromises of Axios and web3.js.

None of this is a coincidence of timing. In April of this year, researchers from Hacker News documented over 1,700 malicious packages spread by the North Korean cluster on npm, PyPI, Go, and Rust over 12 months, in a sustained effort to insert RATs into developer environments. Mastra was simply the next high-value target: a young AI framework with fragile account hygiene, and popular enough to provide access to hundreds of pipelines.

Die unmittelbare Wirkung auf zwei Kontinenten

In the United States, where the largest concentration of npm developers resides and where most AWS CI, GitHub Actions, and Vercel run, the vector is direct: workstations of product teams and SaaS companies that have the Mastra dependency. Early-stage AI application teams are especially exposed because they maintain cloud credentials in local environment variables. In India, a global hub for JS/TS development, with centers from TCS, Infosys, Wipro, and the delivery hubs of Accenture and Capgemini, the workday on June 17 began with the malware already distributed via the npm registry and exposed to any pipeline that ran npm install with an outdated lock.

For CISOs in Brazil, the read is practical. Banks and fintechs that build internal agents based on open source AI frameworks tend to integrate Mastra or alternatives like CrewAI and LangChain into POC projects. Auditing @mastra/* dependencies installed after June 16, revoking npm tokens of developer machines, and rotating cloud credentials is the bare minimum, not the ceiling. The end of the fiscal month will bring tough questions about who governs the hygiene of the AI supply chain within the house.