malware npm

easy-day-js

discovered 2026-06-17

A dayjs clone used as the dropper in the @mastra scope-takeover attack. Published by npm account sergey2016. v1.11.21 (2026-06-16) is clean; v1.11.22 (2026-06-17, tagged latest) adds a postinstall hook (setup.cjs) that downloads and runs a multi-platform cryptocurrency-stealing RAT. Caret range ^1.11.21 injected into 143 @mastra packages resolves to the armed 1.11.22.

more…

Threat types

rat c2_agent crypto_drainer credential_stealer persistence typosquat

Malicious versions

1.11.21 · 4a8860240e4231c3…
1.11.22 · ae70dd4f6bc0d1c8…

Campaigns

@mastra npm Scope Takeoverattributed-to

Indicators

url https://23.254.164.92:8000/update/49890878communicates-with
url https://23.254.164.123/49890878communicates-with
file_path setup.cjsindicates
file_path .pkg_historyindicates
file_path .pkg_logsindicates
email [email protected]indicates

Techniques

ttp T1195.002 Compromise Software Supply Chainuses
ttp T1078 Valid Accountsuses
ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
ttp T1140 Deobfuscate/Decode Files or Informationuses
ttp T1071.001 Application Layer Protocol: Web Protocolsuses
ttp T1105 Ingress Tool Transferuses
ttp T1547 Boot or Logon Autostart Executionuses
ttp T1555 Credentials from Password Storesuses
ttp T1070.004 File Deletionuses
ttp T1657 Financial Theftuses
ttp T1562.001 Impair Defenses: Disable or Modify Toolsuses
ttp T1036 Masqueradinguses
ttp T1027 Obfuscated Files or Informationuses
ttp Provenance Attestation Dropuses
ttp Detached Process Second-Stage Executionuses

Read the full analysis →