Attackers Repost 140+ Packages of the Mastra Framework with Malware via Abandoned npm Account

Between 01:12 and 02:36 UTC on Wednesday (17), attackers reposted 141 packages of the @mastra scope on npm with a single malicious dependency, easy-day-js, according to a report by Snyk published hours later. The target is the open-source Mastra framework, one of the most used for building agents in JavaScript and TypeScript, whose core package, @mastra/core, accumulates around 4 million downloads per month. This combination makes it the largest publicly known incident of npm scope compromise in 2026, directly impacting the enterprise AI application pipeline.

The attack vector was not a technical vulnerability. The attacker used the account "ehindero," from a former contributor whose access to the @mastra scope was never revoked. In a window of 84 minutes, the account published new versions in succession, all pointing to easy-day-js as a dependency. The name is a typosquat of dayjs, one of the most downloaded date libraries in the JavaScript ecosystem, and was carefully crafted: the day before, on June 16, the criminals published easy-day-js@1.11.21 as a byte-for-byte copy of the original dayjs; on June 17, they uploaded version 1.11.22, now with a payload.

What the Payload Does

Snyk's analysis outlines the step-by-step process. Upon installation of the package, a postinstall hook disables TLS verification, downloads a second stage from a raw IP controlled by the attackers, executes the binary in the background, and removes local indicators. The binary runs on Windows, macOS, and Linux, exfiltrating cryptocurrency wallet credentials, browser tokens, SSH keys, and typical CI pipeline environment variables. On developer workstations that sync corporate tokens through Git, the impact is direct: access to private repositories and cloud provisioning secrets.

Orca Security reports 144 affected packages; Snyk and Cloudsmith count 141 and 142, respectively, with the difference attributed to later publications that were cleaned up by the Mastra team earlier in the morning. Snyk recommends that any workstation, CI runner, or build server that installed @mastra packages from June 16 be treated as compromised.

The Attribution That Is Yet to Be Confirmed

Snyk and Orca indicate that the tradecraft is consistent with the Sapphire Sleet group (BlueNoroff), a North Korean unit linked to cryptoasset theft and previous campaigns against developers via poisoned packages on npm and PyPI. Snyk itself warns that "the specific attribution of this incident is not confirmed" and that other cells may be copying the playbook. Microsoft Threat Intelligence has already attributed similar campaigns to the same North Korean cluster in previous compromises of Axios and web3.js.

None of this is a calendar coincidence. In April of this year, Hacker News researchers documented over 1,700 malicious packages spread by the North Korean cluster across npm, PyPI, Go, and Rust in a sustained effort to implant RATs in developer environments. Mastra was simply the next high-value target: a young AI framework with fragile account hygiene and popular enough to provide access to hundreds of pipelines.

The Immediate Effect on Two Continents

In the United States, where the largest concentration of npm developers resides and where most of the CI for AWS, GitHub Actions, and Vercel runs, the vector is direct: workstations of product teams and SaaS companies that depend on Mastra. Early-stage AI application teams are especially exposed as they maintain cloud credentials in local environment variables. In India, the world's second global hub for JS/TS development, with centers from TCS, Infosys, Wipro, and delivery hubs from Accenture and Capgemini, the workday on the 17th began with the malware already distributed through the npm registry and exposed to any pipeline that ran npm install with an outdated lock.

For CISOs in Brazil, the reading is practical. Banks and fintechs that build internal agents based on open-source AI frameworks tend to integrate Mastra or alternatives like CrewAI and LangChain in POC projects. Auditing installed @mastra/* dependencies after June 16, revoking npm tokens from developer machines, and rotating cloud credentials is the minimum, not the maximum. The end of the fiscal month will bring tough questions about who governs the hygiene of the AI supply chain within the organization.