2026-06-17

144 npm Packages Backdoored in 88 Minutes — Inside Today's Mastra Supply Chain Attack

A former Mastra contributor's dormant npm account was hijacked to inject a crypto-stealing RAT into 144 packages with 1.1M weekly downloads — all in 88 minutes.

npmsupply-chain-securitymastrajavascriptcybersecurityopen-sourceai-agentslearning-in-public
Share

My feed exploded this morning. Every security researcher, every AI dev, every Node.js person — all talking about one thing. Mastra, the popular TypeScript framework for building AI agents, just got absolutely wrecked by a supply chain attack. And by "just" I mean literally today — June 17, 2026.

This isn't some theoretical vulnerability. This is a crypto-stealing RAT that was live in packages with 1.1 million weekly downloads. Let me break down exactly what happened.

The Setup — A Former Contributor's Ghost Account

Here's the uncomfortable truth about open-source security — your biggest risk isn't some random hacker. It's the contributor who left six months ago and still has publish access.

The attacker compromised ehindero, a legitimate former Mastra contributor whose organizational access to the @mastra npm scope was never revoked. That's it. That's how 144 packages got owned. One dormant account with stale permissions.

Between 01:12 and 02:39 UTC today, the attacker used that account to republish 141 packages in the @mastra scope. The whole operation took 88 minutes. By the time anyone noticed, the damage was done.

The Attack Chain — Four Stages of Evil

This wasn't some amateur hour script kiddie job. This was a carefully staged, multi-phase attack with real tradecraft.

Stage 0 — The Bait (June 16)

The attacker registered a second npm account (sergey2016) and published easy-day-js@1.11.21 — a clean, fully functional clone of the popular dayjs date library. Same metadata, same author name (iamkun), same MIT license. Completely benign. This was the Trojan horse sitting at the gates.

Stage 1 — The Weaponization (June 17, 01:01 UTC)

At 1 AM, the attacker pushed easy-day-js@1.11.22. This version added a setup.cjs file — 4,572 bytes of obfuscated JavaScript — executed via a postinstall hook. Here's where it gets nasty.

The packages all declared "easy-day-js": "^1.11.21" as a dependency. That caret (^) is the killer. npm's semver resolution happily upgraded to 1.11.22 — the malicious version — on every fresh install.

Stage 2 — The Dropper

That setup.cjs file did four things in rapid succession:

  1. Disabled TLS certificate verification (NODE_TLS_REJECT_UNAUTHORIZED=0)
  2. Downloaded a second-stage payload from 23.254.164.92:8000
  3. Spawned it as a detached background process
  4. Deleted itself — fs.rmSync(__filename, { force: true })

The self-deletion is chef's kiss evil. By the time you check your node_modules, the dropper is already gone.

Stage 3 — The RAT

The second-stage payload (protocal.cjs, 41KB) is a full cross-platform remote access trojan. What it does:

  • Crypto wallet theft: Targets 166 browser extensions — MetaMask, Phantom, Solflare, and 163 others across Chrome, Brave, and Edge
  • Persistence: Installs itself differently per OS — LaunchAgent on macOS (com.nvm.protocal), systemd service on Linux (nvmconf.service), Registry run key on Windows (NvmProtocal)
  • Browser history exfiltration: Grabs your full browsing history
  • Remote command execution: Beacons to 23.254.164.123:443 every 10 minutes for tasking

The C2 communication uses base64-encoded JSON — sending your username, hostname, OS, Node version, installed apps, wallet inventory, and running processes. The server responds with arbitrary commands.

The Obfuscation — Three Layers Deep

The dropper wasn't just minified JavaScript. It used three distinct obfuscation layers:

  1. Custom-alphabet Base64 — shuffled alphabet (lowercase, uppercase, digits) requiring reversal before decoding
  2. Array rotation with checksum — a 40-element string array that needs rotation by exactly 34 positions, validated by an arithmetic check equaling 0x4c11d (311,581)
  3. XOR-encoded beacon — the package name stored as raw bytes [0xe5, 0xe1, 0xf3, 0xf9, 0xad, 0xe4, 0xe1, 0xf9, 0xad, 0xea, 0xf3] instead of plaintext

But here's the funny part — the C2 URL was in plaintext. This suggests the attacker was rushing. Sophisticated obfuscation on everything except the one thing that matters most.

The Detection — Six Minutes

Socket flagged easy-day-js within six minutes of the malicious version being published. StepSecurity's Harden Runner caught the C2 connection during runtime testing. Endor Labs, JFrog, and SafeDep all independently identified the attack.

The security tooling worked. But six minutes was still enough for the attacker to republish 141 packages.

The Dirty Secret Nobody Wants to Talk About

This attack exploited something we all know but pretend isn't a problem — npm postinstall scripts run arbitrary code on your machine during npm install.

Every. Single. Time.

You run npm install and you're executing code from hundreds of maintainers you've never met, with permissions you never explicitly granted. The Mastra attack didn't exploit a zero-day. It didn't need a CVE. It just... added a dependency and let npm do what npm does.

What You Should Do Right Now

If you used any @mastra/* package:

  1. Check your lockfile for easy-day-js — if it's there, assume compromise
  2. Rotate everything — API keys, database credentials, LLM provider keys, cloud tokens
  3. Check for persistence — look for com.nvm.protocal (macOS), nvmconf.service (Linux), NvmProtocal registry key (Windows)
  4. Search for artifacts.pkg_history, .pkg_logs, random hex-named .js files in temp directories
  5. If you have crypto wallets — move funds immediately. Don't wait.
  6. Disable postinstall scriptsnpm config set ignore-scripts true and manually run build scripts you trust

The Bigger Picture

This is the third major npm supply chain attack this year. The pattern is always the same — compromised maintainer account, injected dependency, postinstall dropper, credential theft. The tooling catches it fast, but "fast" in supply chain attacks still means thousands of developers get hit before the takedown.

The Mastra attack hit AI developers specifically. Think about what's in a typical Mastra project's environment — LLM API keys worth thousands per month, cloud provider credentials, database connections, CI/CD secrets. The attacker knew exactly who they were targeting.

SafeDep noted the tradecraft overlaps with Sapphire Sleet (BlueNorph) — the same group linked to the 2026 Axios compromise. Attribution isn't confirmed, but the pattern is unmistakable.

One-line summary: A former contributor's unrevoked npm access led to 144 AI framework packages being backdoored with a crypto-stealing RAT in under 90 minutes — and npm install was the only exploit needed.

ok I'm out. go build something — but maybe audit your package.json first.

Related Reading

Subscribe to my newsletter

No spam, promise. I only send curated blogs that match your interests — the stuff you'd actually want to read.

Interests (optional)

Unsubscribe anytime. Your email is safe with me.