A supply chain attack targeting the JavaScript ecosystem has compromised more than 140 npm packages registered under the mastra scope. The intrusion began when attackers took over the maintainer account for the package ehindero and published a malicious look‑alike named easy‑day‑js that mimics the popular dayjs library. Security researchers first observed the activity on 17 June 2026 and Microsoft Threat Intelligence issued a warning the same day.
The malicious package contains a postinstall hook that runs automatically whenever a developer executes npm install or update. This hook disables TLS certificate validation, downloads a second‑stage infostealer and executes it on the host machine. The infostealer harvests browser history and extracts data from over 160 cryptocurrency wallet extensions, affecting Windows, macOS and Linux systems. No CVE identifiers have been assigned to the campaign as of yet.
Socket, the security firm that discovered the abuse, blocked the rogue package shortly after its release and alerted the community. Microsoft’s analysis shows the campaign was active between 17 and 18 June 2026, though no specific threat actor has been attributed to the incident. The attack highlights how a single compromised maintainer account can be leveraged to poison a wide swath of the npm registry.
Defenders should immediately audit their dependency trees for any reference to easy‑day‑js or other unexpected mastra‑scoped packages and remove them if found. Locking projects to known good versions and reviewing postinstall scripts in all dependencies can prevent the malicious code from executing. Rotating API keys, session tokens and any credentials that may have been exposed is also advised, while enabling detection rules in Microsoft Defender or similar endpoint solutions can help catch related activity.
Organisations are encouraged to adopt provenance checks for npm packages, keep lockfiles committed to version control and run regular audits using tools that flag suspicious scripts. Maintaining vigilance around unusual typosquatted names and monitoring for unexpected network traffic after package installation will reduce the risk of similar supply chain compromises in the future.