More than 140 npm packages linked to the Mastra ("@mastra/*") open-source AI development framework were compromised in a large-scale software supply-chain attack discovered on June 17, 2026.
Reports from multiple cybersecurity vendors, including Endor Labs, JFrog, SafeDep, Socket, and StepSecurity said attackers hijacked a legitimate npm account belonging to a former Mastra contributor and published 144 malicious package versions within 88 minutes.
The compromised packages contained a dependency called ‘easy-day-js,’ a fake version of the popular date library Day.js. The package downloaded and executed malware during installation.
According to researchers, the malware could steal browser data, collect information from more than 160 cryptocurrency wallet extensions, install persistence mechanisms on Windows, macOS, and Linux systems, and communicate with attacker-controlled servers for further instructions.
Npm has removed the malicious package versions and restored safe releases. Security experts recommend that anyone who installed the affected versions immediately roll back to a safe version, rotate credentials, and investigate systems for signs of compromise.