ON June 17, 2026, an attacker compromised the @mastra npm organization, publishing malicious versions of 13 packages within the Mastra AI framework. These packages included 'easy-day-js', a typosquat of the popular 'dayjs' library, containing a postinstall script that executed an obfuscated JavaScript file. This script downloaded and ran a second-stage payload aimed at extracting sensitive information such as API keys and cloud credentials.
The attack unfolded in four stages, starting with the publication of a clean package as bait, followed by the compromised release of the malicious packages, execution of a dropper script during installation, and finally, the execution of the payload that harvested sensitive data.