malware npm

@mastra/core

discovered 2026-06-17

First-party @mastra package republished by the compromised ehindero account on 2026-06-17 with library code unchanged and a single injected dependency (easy-day-js ^1.11.21) that drops a cryptocurrency-stealing RAT. Published with dist.attestations=null (no OIDC/SLSA provenance).

more…

Threat types

rat c2_agent crypto_drainer credential_stealer persistence

Malicious versions

1.42.1 · 2e2340f2ab71f321…

Campaigns

@mastra npm Scope Takeoverattributed-to

Indicators

url https://23.254.164.92:8000/update/49890878communicates-with
url https://23.254.164.123/49890878communicates-with
ipv4 23.254.164.92indicates
ipv4 23.254.164.123indicates
sha256 221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badfindicates
sha256 4a8860240e4231c3a74c81949be655a28e096a7d72f38fbe84e5b37636b98417indicates
sha256 ae70dd4f6bc0d1c8c2848e4e6b51934626c4818dcb5af99d080ddbd7dc337185indicates
sha256 2e2340f2ab71f321d3ef6fb9a7542fb9f30f3c65ba7ef924fcd8acc63829b5bfindicates
file_path setup.cjsindicates
file_path .pkg_historyindicates
file_path .pkg_logsindicates
file_path ~/Library/LaunchAgents/com.nvm.protocal.plistindicates
file_path ~/Library/NodePackages/protocal.cjsindicates
file_path ~/.config/systemd/user/nvmconf.serviceindicates
file_path ~/.config/NodePackages/config.jsonindicates
file_path C:\ProgramData\NodePackagesindicates
email [email protected]indicates
email [email protected]indicates
email [email protected]indicates

Techniques

ttp T1195.002 Compromise Software Supply Chainuses
ttp T1078 Valid Accountsuses
ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
ttp T1140 Deobfuscate/Decode Files or Informationuses
ttp T1071.001 Application Layer Protocol: Web Protocolsuses
ttp T1105 Ingress Tool Transferuses
ttp T1547 Boot or Logon Autostart Executionuses
ttp T1555 Credentials from Password Storesuses
ttp T1070.004 File Deletionuses
ttp T1657 Financial Theftuses
ttp T1562.001 Impair Defenses: Disable or Modify Toolsuses
ttp T1036 Masqueradinguses
ttp T1027 Obfuscated Files or Informationuses
ttp Provenance Attestation Dropuses
ttp Detached Process Second-Stage Executionuses

Read the full analysis →