{"campaign":{"name":"@mastra npm Scope Takeover","slug":"mastra-npm-scope-takeover","href":"/ti/campaigns/mastra-npm-scope-takeover","description":"npm scope/account-takeover supply chain attack against the @mastra (Mastra AI agent framework) ecosystem. On 2026-06-17 (UTC) the attacker republished 143 first-party @mastra packages (including @mastra/core, mastra, create-mastra) in a ~84-minute burst (01:12-02:36). The publisher account `ehindero` was a stale former Mastra contributor whose scope access was never revoked (~16 months dormant) and whose email had been changed to a tutamail address. Library code was left byte-identical; each malicious release added exactly one dependency, easy-day-js (a dayjs clone), whose postinstall hook drops and runs a multi-platform cryptocurrency-stealing RAT. Malicious versions were published from a personal token with dist.attestations=null, breaking the OIDC/SLSA provenance baseline of legitimate releases. Tradecraft overlaps the Sapphire Sleet / BlueNoroff cluster (SafeDep assessment, unconfirmed).","objective":"Compromise developer and CI machines via a trusted AI-agent-framework scope to steal cryptocurrency wallets and browser/credential data through a persistent multi-platform RAT.","aliases":["mastra-scope-takeover","ehindero @mastra compromise"],"discovered_at":"2026-06-17"},"packages":[{"ecosystem":"npm","name":"@mastra/core","href":"/ti/packages/npm/@mastra/core","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.42.1"]},{"ecosystem":"npm","name":"easy-day-js","href":"/ti/packages/npm/easy-day-js","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence","typosquat"],"versions":["1.11.21","1.11.22"]},{"ecosystem":"npm","name":"@mastra/acp","href":"/ti/packages/npm/@mastra/acp","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.2.2"]},{"ecosystem":"npm","name":"@mastra/agent-browser","href":"/ti/packages/npm/@mastra/agent-browser","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.3.2"]},{"ecosystem":"npm","name":"@mastra/agent-builder","href":"/ti/packages/npm/@mastra/agent-builder","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.42"]},{"ecosystem":"npm","name":"@mastra/agentcore","href":"/ti/packages/npm/@mastra/agentcore","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.2.2"]},{"ecosystem":"npm","name":"@mastra/agentfs","href":"/ti/packages/npm/@mastra/agentfs","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.1.1"]},{"ecosystem":"npm","name":"@mastra/ai-sdk","href":"/ti/packages/npm/@mastra/ai-sdk","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.4.6"]},{"ecosystem":"npm","name":"@mastra/arize","href":"/ti/packages/npm/@mastra/arize","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.2.3"]},{"ecosystem":"npm","name":"@mastra/arthur","href":"/ti/packages/npm/@mastra/arthur","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.3.3"]},{"ecosystem":"npm","name":"@mastra/astra","href":"/ti/packages/npm/@mastra/astra","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.2"]},{"ecosystem":"npm","name":"@mastra/auth","href":"/ti/packages/npm/@mastra/auth","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.3"]},{"ecosystem":"npm","name":"@mastra/auth-auth0","href":"/ti/packages/npm/@mastra/auth-auth0","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.2"]},{"ecosystem":"npm","name":"@mastra/auth-better-auth","href":"/ti/packages/npm/@mastra/auth-better-auth","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.4"]},{"ecosystem":"npm","name":"@mastra/auth-clerk","href":"/ti/packages/npm/@mastra/auth-clerk","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.3"]},{"ecosystem":"npm","name":"@mastra/auth-cloud","href":"/ti/packages/npm/@mastra/auth-cloud","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.1.4"]},{"ecosystem":"npm","name":"@mastra/auth-firebase","href":"/ti/packages/npm/@mastra/auth-firebase","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.1"]},{"ecosystem":"npm","name":"@mastra/auth-okta","href":"/ti/packages/npm/@mastra/auth-okta","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.0.5"]},{"ecosystem":"npm","name":"@mastra/auth-studio","href":"/ti/packages/npm/@mastra/auth-studio","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.2.4"]},{"ecosystem":"npm","name":"@mastra/auth-supabase","href":"/ti/packages/npm/@mastra/auth-supabase","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.2"]},{"ecosystem":"npm","name":"@mastra/auth-workos","href":"/ti/packages/npm/@mastra/auth-workos","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.5.3"]},{"ecosystem":"npm","name":"@mastra/azure","href":"/ti/packages/npm/@mastra/azure","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.2.3"]},{"ecosystem":"npm","name":"@mastra/blaxel","href":"/ti/packages/npm/@mastra/blaxel","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.4.2"]},{"ecosystem":"npm","name":"@mastra/braintrust","href":"/ti/packages/npm/@mastra/braintrust","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.1.4"]},{"ecosystem":"npm","name":"@mastra/brightdata","href":"/ti/packages/npm/@mastra/brightdata","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.2.2"]},{"ecosystem":"npm","name":"@mastra/browser-firecrawl","href":"/ti/packages/npm/@mastra/browser-firecrawl","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.1.1"]},{"ecosystem":"npm","name":"@mastra/browser-viewer","href":"/ti/packages/npm/@mastra/browser-viewer","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.1.3"]},{"ecosystem":"npm","name":"@mastra/chroma","href":"/ti/packages/npm/@mastra/chroma","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.2"]},{"ecosystem":"npm","name":"@mastra/clickhouse","href":"/ti/packages/npm/@mastra/clickhouse","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.10.1"]},{"ecosystem":"npm","name":"@mastra/claude","href":"/ti/packages/npm/@mastra/claude","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.3"]},{"ecosystem":"npm","name":"@mastra/client-js","href":"/ti/packages/npm/@mastra/client-js","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.24.1"]},{"ecosystem":"npm","name":"@mastra/cloud","href":"/ti/packages/npm/@mastra/cloud","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.1.24"]},{"ecosystem":"npm","name":"@mastra/cloudflare","href":"/ti/packages/npm/@mastra/cloudflare","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.4.2"]},{"ecosystem":"npm","name":"@mastra/cloudflare-d1","href":"/ti/packages/npm/@mastra/cloudflare-d1","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.7"]},{"ecosystem":"npm","name":"@mastra/codemod","href":"/ti/packages/npm/@mastra/codemod","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.4"]},{"ecosystem":"npm","name":"@mastra/convex","href":"/ti/packages/npm/@mastra/convex","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.2.2"]},{"ecosystem":"npm","name":"@mastra/couchbase","href":"/ti/packages/npm/@mastra/couchbase","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.4"]},{"ecosystem":"npm","name":"@mastra/cursor","href":"/ti/packages/npm/@mastra/cursor","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.2.1"]},{"ecosystem":"npm","name":"@mastra/dane","href":"/ti/packages/npm/@mastra/dane","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.2"]},{"ecosystem":"npm","name":"@mastra/datadog","href":"/ti/packages/npm/@mastra/datadog","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.2.5"]},{"ecosystem":"npm","name":"@mastra/daytona","href":"/ti/packages/npm/@mastra/daytona","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.4.2"]},{"ecosystem":"npm","name":"@mastra/deployer","href":"/ti/packages/npm/@mastra/deployer","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.42.1"]},{"ecosystem":"npm","name":"@mastra/deployer-cloud","href":"/ti/packages/npm/@mastra/deployer-cloud","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.42.1"]},{"ecosystem":"npm","name":"@mastra/deployer-cloudflare","href":"/ti/packages/npm/@mastra/deployer-cloudflare","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.1.44"]},{"ecosystem":"npm","name":"@mastra/deployer-netlify","href":"/ti/packages/npm/@mastra/deployer-netlify","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.1.20"]},{"ecosystem":"npm","name":"@mastra/deployer-vercel","href":"/ti/packages/npm/@mastra/deployer-vercel","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.1.38"]},{"ecosystem":"npm","name":"@mastra/docker","href":"/ti/packages/npm/@mastra/docker","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.3.1"]},{"ecosystem":"npm","name":"@mastra/dsql","href":"/ti/packages/npm/@mastra/dsql","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.3"]},{"ecosystem":"npm","name":"@mastra/duckdb","href":"/ti/packages/npm/@mastra/duckdb","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.4.3"]},{"ecosystem":"npm","name":"@mastra/dynamodb","href":"/ti/packages/npm/@mastra/dynamodb","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.9"]},{"ecosystem":"npm","name":"@mastra/e2b","href":"/ti/packages/npm/@mastra/e2b","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.3.4"]},{"ecosystem":"npm","name":"@mastra/editor","href":"/ti/packages/npm/@mastra/editor","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.11.3"]},{"ecosystem":"npm","name":"@mastra/elasticsearch","href":"/ti/packages/npm/@mastra/elasticsearch","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.2.1"]},{"ecosystem":"npm","name":"@mastra/engine","href":"/ti/packages/npm/@mastra/engine","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.1.1"]},{"ecosystem":"npm","name":"@mastra/evals","href":"/ti/packages/npm/@mastra/evals","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.3.1"]},{"ecosystem":"npm","name":"@mastra/express","href":"/ti/packages/npm/@mastra/express","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.3.31"]},{"ecosystem":"npm","name":"@mastra/fastembed","href":"/ti/packages/npm/@mastra/fastembed","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.1.3"]},{"ecosystem":"npm","name":"@mastra/fastify","href":"/ti/packages/npm/@mastra/fastify","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.3.31"]},{"ecosystem":"npm","name":"@mastra/files-sdk","href":"/ti/packages/npm/@mastra/files-sdk","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.2.1"]},{"ecosystem":"npm","name":"@mastra/gcs","href":"/ti/packages/npm/@mastra/gcs","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.2.3"]},{"ecosystem":"npm","name":"@mastra/github-signals","href":"/ti/packages/npm/@mastra/github-signals","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.1.2"]},{"ecosystem":"npm","name":"@mastra/google-cloud-pubsub","href":"/ti/packages/npm/@mastra/google-cloud-pubsub","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.6"]},{"ecosystem":"npm","name":"@mastra/google-drive","href":"/ti/packages/npm/@mastra/google-drive","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.1.1"]},{"ecosystem":"npm","name":"@mastra/hono","href":"/ti/packages/npm/@mastra/hono","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.4.26"]},{"ecosystem":"npm","name":"@mastra/inngest","href":"/ti/packages/npm/@mastra/inngest","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.5.2"]},{"ecosystem":"npm","name":"@mastra/koa","href":"/ti/packages/npm/@mastra/koa","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.5.14"]},{"ecosystem":"npm","name":"@mastra/laminar","href":"/ti/packages/npm/@mastra/laminar","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.2.3"]},{"ecosystem":"npm","name":"@mastra/lance","href":"/ti/packages/npm/@mastra/lance","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.7"]},{"ecosystem":"npm","name":"@mastra/langfuse","href":"/ti/packages/npm/@mastra/langfuse","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.3.6"]},{"ecosystem":"npm","name":"@mastra/langsmith","href":"/ti/packages/npm/@mastra/langsmith","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.2.4"]},{"ecosystem":"npm","name":"@mastra/libsql","href":"/ti/packages/npm/@mastra/libsql","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.13.1"]},{"ecosystem":"npm","name":"@mastra/loggers","href":"/ti/packages/npm/@mastra/loggers","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.1.3"]},{"ecosystem":"npm","name":"@mastra/longmemeval","href":"/ti/packages/npm/@mastra/longmemeval","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.50"]},{"ecosystem":"npm","name":"@mastra/mcp","href":"/ti/packages/npm/@mastra/mcp","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.10.1"]},{"ecosystem":"npm","name":"@mastra/mcp-docs-server","href":"/ti/packages/npm/@mastra/mcp-docs-server","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.1.47"]},{"ecosystem":"npm","name":"@mastra/mcp-registry-registry","href":"/ti/packages/npm/@mastra/mcp-registry-registry","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.2"]},{"ecosystem":"npm","name":"@mastra/mem0","href":"/ti/packages/npm/@mastra/mem0","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.1.14"]},{"ecosystem":"npm","name":"@mastra/memory","href":"/ti/packages/npm/@mastra/memory","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.20.4"]},{"ecosystem":"npm","name":"@mastra/modal","href":"/ti/packages/npm/@mastra/modal","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.2.2"]},{"ecosystem":"npm","name":"@mastra/mongodb","href":"/ti/packages/npm/@mastra/mongodb","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.9.3"]},{"ecosystem":"npm","name":"@mastra/mssql","href":"/ti/packages/npm/@mastra/mssql","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.3.2"]},{"ecosystem":"npm","name":"@mastra/mysql","href":"/ti/packages/npm/@mastra/mysql","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.1.1"]},{"ecosystem":"npm","name":"@mastra/nestjs","href":"/ti/packages/npm/@mastra/nestjs","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.1.15"]},{"ecosystem":"npm","name":"@mastra/node-audio","href":"/ti/packages/npm/@mastra/node-audio","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.1.8"]},{"ecosystem":"npm","name":"@mastra/observability","href":"/ti/packages/npm/@mastra/observability","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.14.2"]},{"ecosystem":"npm","name":"@mastra/openai","href":"/ti/packages/npm/@mastra/openai","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.2"]},{"ecosystem":"npm","name":"@mastra/opencode","href":"/ti/packages/npm/@mastra/opencode","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.0.47"]},{"ecosystem":"npm","name":"@mastra/opensearch","href":"/ti/packages/npm/@mastra/opensearch","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.3"]},{"ecosystem":"npm","name":"@mastra/otel-bridge","href":"/ti/packages/npm/@mastra/otel-bridge","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.2.3"]},{"ecosystem":"npm","name":"@mastra/otel-exporter","href":"/ti/packages/npm/@mastra/otel-exporter","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.2.3"]},{"ecosystem":"npm","name":"@mastra/perplexity","href":"/ti/packages/npm/@mastra/perplexity","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.1.1"]},{"ecosystem":"npm","name":"@mastra/pg","href":"/ti/packages/npm/@mastra/pg","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.13.1"]},{"ecosystem":"npm","name":"@mastra/pinecone","href":"/ti/packages/npm/@mastra/pinecone","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.2"]},{"ecosystem":"npm","name":"@mastra/playground-ui","href":"/ti/packages/npm/@mastra/playground-ui","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["33.0.1"]},{"ecosystem":"npm","name":"@mastra/posthog","href":"/ti/packages/npm/@mastra/posthog","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.29"]},{"ecosystem":"npm","name":"@mastra/qdrant","href":"/ti/packages/npm/@mastra/qdrant","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.3"]},{"ecosystem":"npm","name":"@mastra/rag","href":"/ti/packages/npm/@mastra/rag","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["2.2.2"]},{"ecosystem":"npm","name":"@mastra/railway","href":"/ti/packages/npm/@mastra/railway","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.1.1"]},{"ecosystem":"npm","name":"@mastra/react","href":"/ti/packages/npm/@mastra/react","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.1"]},{"ecosystem":"npm","name":"@mastra/redis","href":"/ti/packages/npm/@mastra/redis","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.1.3"]},{"ecosystem":"npm","name":"@mastra/redis-streams","href":"/ti/packages/npm/@mastra/redis-streams","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.0.4"]},{"ecosystem":"npm","name":"@mastra/s3","href":"/ti/packages/npm/@mastra/s3","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.5.3"]},{"ecosystem":"npm","name":"@mastra/schema-compat","href":"/ti/packages/npm/@mastra/schema-compat","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.2.12"]},{"ecosystem":"npm","name":"@mastra/sentry","href":"/ti/packages/npm/@mastra/sentry","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.1.4"]},{"ecosystem":"npm","name":"@mastra/server","href":"/ti/packages/npm/@mastra/server","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["2.1.1"]},{"ecosystem":"npm","name":"@mastra/slack","href":"/ti/packages/npm/@mastra/slack","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.3.1"]},{"ecosystem":"npm","name":"@mastra/spanner","href":"/ti/packages/npm/@mastra/spanner","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.1.2"]},{"ecosystem":"npm","name":"@mastra/speech-azure","href":"/ti/packages/npm/@mastra/speech-azure","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.2.1"]},{"ecosystem":"npm","name":"@mastra/speech-elevenlabs","href":"/ti/packages/npm/@mastra/speech-elevenlabs","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.2.1"]},{"ecosystem":"npm","name":"@mastra/speech-google","href":"/ti/packages/npm/@mastra/speech-google","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.2.1"]},{"ecosystem":"npm","name":"@mastra/speech-ibm","href":"/ti/packages/npm/@mastra/speech-ibm","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.2.1"]},{"ecosystem":"npm","name":"@mastra/speech-murf","href":"/ti/packages/npm/@mastra/speech-murf","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.2.1"]},{"ecosystem":"npm","name":"@mastra/speech-openai","href":"/ti/packages/npm/@mastra/speech-openai","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.2.1"]},{"ecosystem":"npm","name":"@mastra/speech-replicate","href":"/ti/packages/npm/@mastra/speech-replicate","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.2.1"]},{"ecosystem":"npm","name":"@mastra/speech-speechify","href":"/ti/packages/npm/@mastra/speech-speechify","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.2.1"]},{"ecosystem":"npm","name":"@mastra/stagehand","href":"/ti/packages/npm/@mastra/stagehand","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.2.5"]},{"ecosystem":"npm","name":"@mastra/tavily","href":"/ti/packages/npm/@mastra/tavily","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.3"]},{"ecosystem":"npm","name":"@mastra/temporal","href":"/ti/packages/npm/@mastra/temporal","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.1.14"]},{"ecosystem":"npm","name":"@mastra/turbopuffer","href":"/ti/packages/npm/@mastra/turbopuffer","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.3"]},{"ecosystem":"npm","name":"@mastra/twilio","href":"/ti/packages/npm/@mastra/twilio","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.2"]},{"ecosystem":"npm","name":"@mastra/upstash","href":"/ti/packages/npm/@mastra/upstash","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.1.3"]},{"ecosystem":"npm","name":"@mastra/vectorize","href":"/ti/packages/npm/@mastra/vectorize","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.3"]},{"ecosystem":"npm","name":"@mastra/vercel","href":"/ti/packages/npm/@mastra/vercel","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.1"]},{"ecosystem":"npm","name":"@mastra/voice-aws-nova-sonic","href":"/ti/packages/npm/@mastra/voice-aws-nova-sonic","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.1.4"]},{"ecosystem":"npm","name":"@mastra/voice-azure","href":"/ti/packages/npm/@mastra/voice-azure","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.11.2"]},{"ecosystem":"npm","name":"@mastra/voice-cloudflare","href":"/ti/packages/npm/@mastra/voice-cloudflare","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.12.3"]},{"ecosystem":"npm","name":"@mastra/voice-deepgram","href":"/ti/packages/npm/@mastra/voice-deepgram","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.12.2"]},{"ecosystem":"npm","name":"@mastra/voice-elevenlabs","href":"/ti/packages/npm/@mastra/voice-elevenlabs","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.12.2"]},{"ecosystem":"npm","name":"@mastra/voice-gladia","href":"/ti/packages/npm/@mastra/voice-gladia","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.12.2"]},{"ecosystem":"npm","name":"@mastra/voice-google","href":"/ti/packages/npm/@mastra/voice-google","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.12.3"]},{"ecosystem":"npm","name":"@mastra/voice-google-gemini-live","href":"/ti/packages/npm/@mastra/voice-google-gemini-live","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.12.2"]},{"ecosystem":"npm","name":"@mastra/voice-inworld","href":"/ti/packages/npm/@mastra/voice-inworld","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.3.1"]},{"ecosystem":"npm","name":"@mastra/voice-modelslab","href":"/ti/packages/npm/@mastra/voice-modelslab","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.1.2"]},{"ecosystem":"npm","name":"@mastra/voice-murf","href":"/ti/packages/npm/@mastra/voice-murf","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.12.3"]},{"ecosystem":"npm","name":"@mastra/voice-openai","href":"/ti/packages/npm/@mastra/voice-openai","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.12.3"]},{"ecosystem":"npm","name":"@mastra/voice-openai-realtime","href":"/ti/packages/npm/@mastra/voice-openai-realtime","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.12.6"]},{"ecosystem":"npm","name":"@mastra/voice-playai","href":"/ti/packages/npm/@mastra/voice-playai","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.12.2"]},{"ecosystem":"npm","name":"@mastra/voice-sarvam","href":"/ti/packages/npm/@mastra/voice-sarvam","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.2"]},{"ecosystem":"npm","name":"@mastra/voice-speechify","href":"/ti/packages/npm/@mastra/voice-speechify","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.12.2"]},{"ecosystem":"npm","name":"@mastra/voice-xai-realtime","href":"/ti/packages/npm/@mastra/voice-xai-realtime","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.1.2"]},{"ecosystem":"npm","name":"create-mastra","href":"/ti/packages/npm/create-mastra","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.13.1"]},{"ecosystem":"npm","name":"mastra","href":"/ti/packages/npm/mastra","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.13.1"]},{"ecosystem":"npm","name":"@mastra/node-speaker","href":"/ti/packages/npm/@mastra/node-speaker","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["0.1.1"]},{"ecosystem":"npm","name":"@mastra/s3vectors","href":"/ti/packages/npm/@mastra/s3vectors","threat_types":["rat","c2_agent","crypto_drainer","credential_stealer","persistence"],"versions":["1.0.7"]}],"indicators":[{"kind":"email","value":"ehindero2016@tutamail.com","href":"/ti/ioc/email/ehindero2016@tutamail.com","context":"Operator email on the compromised `ehindero` npm account at time of the malicious @mastra republish."},{"kind":"email","value":"sergey2016@tutamail.com","href":"/ti/ioc/email/sergey2016@tutamail.com","context":"Email of the `sergey2016` npm account that published the easy-day-js dropper. Sibling <name>2016@tutamail.com pattern shared with the operator."},{"kind":"url","value":"https://23.254.164.92:8000/update/49890878","href":"/ti/ioc/url/url-76412fcc7af0","context":"Dropper stage-2 retrieval URL; returns the 12-byte-hex-named JS RAT loader only to Node default User-Agent."},{"kind":"url","value":"https://23.254.164.123/49890878","href":"/ti/ioc/url/url-f88b7373e400","context":"RAT stage-2 C2 endpoint; base64-encoded JSON beacon/command protocol (type:prepare/tpcsr/r0), default 10-minute cycle. Campaign path /49890878 shared with the dropper."},{"kind":"ipv4","value":"23.254.164.92","href":"/ti/ioc/ipv4/23.254.164.92","context":"Stage-2 download host (dropper). HTTPS GET to https://23.254.164.92:8000/update/49890878. Hostwinds, PTR hwsrv-1327786.hostwindsdns.com. User-Agent gated: serves payload only to Node default UA."},{"kind":"ipv4","value":"23.254.164.123","href":"/ti/ioc/ipv4/23.254.164.123","context":"RAT stage-2 C2 (still live at analysis time). HTTPS POST to https://23.254.164.123/49890878. Hostwinds, PTR hwsrv-1327785.hostwindsdns.com. Fronts an expired wolfSSL test cert CN=www.wolfssl.com."},{"kind":"sha256","value":"221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badf","href":"/ti/ioc/sha256/221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badf","context":"Stage-2 payload: 41 KB obfuscated multi-platform cryptocurrency-stealer RAT."},{"kind":"sha256","value":"4a8860240e4231c3a74c81949be655a28e096a7d72f38fbe84e5b37636b98417","href":"/ti/ioc/sha256/4a8860240e4231c3a74c81949be655a28e096a7d72f38fbe84e5b37636b98417","context":"easy-day-js@1.11.21 npm tarball (clean precursor, no install hook)."},{"kind":"sha256","value":"ae70dd4f6bc0d1c8c2848e4e6b51934626c4818dcb5af99d080ddbd7dc337185","href":"/ti/ioc/sha256/ae70dd4f6bc0d1c8c2848e4e6b51934626c4818dcb5af99d080ddbd7dc337185","context":"easy-day-js@1.11.22 npm tarball (armed: postinstall RAT dropper setup.cjs)."},{"kind":"sha256","value":"2e2340f2ab71f321d3ef6fb9a7542fb9f30f3c65ba7ef924fcd8acc63829b5bf","href":"/ti/ioc/sha256/2e2340f2ab71f321d3ef6fb9a7542fb9f30f3c65ba7ef924fcd8acc63829b5bf","context":"@mastra/core@1.42.1 npm tarball (republished by ehindero, dist.attestations=null, easy-day-js dependency injected)."},{"kind":"file_path","value":"setup.cjs","href":"/ti/ioc/file_path/file_path-fcac09d05920","context":"easy-day-js@1.11.22 postinstall dropper (obfuscator.io custom-base64 string-array). Sets NODE_TLS_REJECT_UNAUTHORIZED=0, fetches stage 2, spawns detached node child, then self-deletes (fs.rmSync(__filename))."},{"kind":"file_path","value":".pkg_history","href":"/ti/ioc/file_path/file_path-34b4c3ce284f","context":"Marker file written to os.tmpdir() by setup.cjs (contains __dirname)."},{"kind":"file_path","value":".pkg_logs","href":"/ti/ioc/file_path/file_path-a970d908e8cf","context":"Marker file written to os.tmpdir() by setup.cjs (bytes of \"easy-day-js\" XOR 0x80)."},{"kind":"file_path","value":"~/Library/LaunchAgents/com.nvm.protocal.plist","href":"/ti/ioc/file_path/file_path-2f1792f4b790","context":"macOS RAT persistence LaunchAgent (typosquats nvm tooling)."},{"kind":"file_path","value":"~/Library/NodePackages/protocal.cjs","href":"/ti/ioc/file_path/file_path-06ac923384c2","context":"macOS RAT payload body disguised as Node tooling."},{"kind":"file_path","value":"~/.config/systemd/user/nvmconf.service","href":"/ti/ioc/file_path/file_path-adfb9d756710","context":"Linux RAT persistence systemd user unit (typosquats nvm tooling)."},{"kind":"file_path","value":"~/.config/NodePackages/config.json","href":"/ti/ioc/file_path/file_path-991ec52d7441","context":"Linux RAT config persistence (UID/PrimaryUrl/Cycle)."},{"kind":"file_path","value":"C:\\ProgramData\\NodePackages","href":"/ti/ioc/file_path/file_path-d4d357fe8699","context":"Windows RAT persistence/config directory."},{"kind":"email","value":"ehindero2016@gmail.com","href":"/ti/ioc/email/ehindero2016@gmail.com","context":"Original email on the `ehindero` npm account during its clean @mastra/core alpha publishes (2024-11 to 2025-02); same account, later changed to tutamail. Account-takeover indicator."}],"ttps":[{"name":"Compromise Software Supply Chain","mitre_attack_id":"T1195.002","href":"/ti/ttps/T1195.002"},{"name":"Valid Accounts","mitre_attack_id":"T1078","href":"/ti/ttps/T1078"},{"name":"Command and Scripting Interpreter: JavaScript","mitre_attack_id":"T1059.007","href":"/ti/ttps/T1059.007"},{"name":"Deobfuscate/Decode Files or Information","mitre_attack_id":"T1140","href":"/ti/ttps/T1140"},{"name":"Application Layer Protocol: Web Protocols","mitre_attack_id":"T1071.001","href":"/ti/ttps/T1071.001"},{"name":"Ingress Tool Transfer","mitre_attack_id":"T1105","href":"/ti/ttps/T1105"},{"name":"Boot or Logon Autostart Execution","mitre_attack_id":"T1547","href":"/ti/ttps/T1547"},{"name":"Credentials from Password Stores","mitre_attack_id":"T1555","href":"/ti/ttps/T1555"},{"name":"File Deletion","mitre_attack_id":"T1070.004","href":"/ti/ttps/T1070.004"},{"name":"Financial Theft","mitre_attack_id":"T1657","href":"/ti/ttps/T1657"},{"name":"Impair Defenses: Disable or Modify Tools","mitre_attack_id":"T1562.001","href":"/ti/ttps/T1562.001"},{"name":"Masquerading","mitre_attack_id":"T1036","href":"/ti/ttps/T1036"},{"name":"Obfuscated Files or Information","mitre_attack_id":"T1027","href":"/ti/ttps/T1027"},{"name":"Provenance Attestation Drop","href":"/ti/ttps/provenance-attestation-drop"},{"name":"Detached Process Second-Stage Execution","href":"/ti/ttps/detached-process-second-stage-execution"}],"related_campaigns":[],"reports":[{"title":"Mastra npm Scope Takeover: 143 Packages Drop a RAT","url":"https://safedep.io/mastra-npm-scope-takeover-supply-chain-attack","published_at":"2026-06-17"}]}