Mastra AI Framework Under Siege: The “easy-day-js” Typosquatting Attack That Poisoned 116 Packages + Video

By /

Listen to this Post

Featured Image

Introduction:

The JavaScript npm ecosystem has become a prime battleground for software supply chain attacks, and the latest victim is the Mastra AI framework—an open-source TypeScript ecosystem for building AI agents, workflows, and RAG pipelines. On June 17, 2026, threat actors executed a sophisticated multi-stage campaign: they published a typosquatted package named `easy-day-js` impersonating the legitimate `dayjs` library, then used compromised credentials to inject it as a dependency into 116 Mastra packages via an automated scripted sweep. This attack demonstrates how a single malicious package can cascade across an entire software ecosystem, turning trusted development environments into conduits for credential theft and backdoor deployment.

Learning Objectives:

  • Understand the mechanics of typosquatting attacks and npm postinstall hook abuse in software supply chain compromises
  • Learn to detect, analyze, and remediate malicious npm packages using real-world indicators of compromise (IoCs)
  • Implement practical defensive measures including dependency auditing, CI/CD pipeline hardening, and TLS validation enforcement

You Should Know:

  1. Anatomy of the Attack: From Typosquat to Worm‑Like Propagation

The attack unfolded in two carefully orchestrated stages designed to maximize reach while minimizing detection.

Stage 1: The Bait Package (June 16, 2026)

At 07:05 UTC, an npm user identified as `sergey2016` published [email protected]—a clean, fully functional copy of the legitimate `dayjs` library. The package metadata was meticulously cloned: it copied the author field (iamkun), homepage URL (`https://day.js.org`), repository links, keywords, and even the version numbering convention matching the real `[email protected]` lineage. This “bait” version contained no malicious code and was designed to pass any superficial security review.

Stage 2: The Poisoned Payload (June 17, 2026, 01:01–01:48 UTC)
At 01:01 UTC, the attacker published [email protected]—identical to the bait version except for the addition of a heavily obfuscated `setup.cjs` file and a `postinstall` hook in package.json. Eleven minutes later, using compromised credentials to the `@mastra` npm organization, the attacker began publishing new versions of Mastra packages—each adding `”easy-day-js”: “^1.11.21″` as a production dependency. Over the next 36 minutes, 13 Mastra packages were initially compromised, with the typosquatted dependency ultimately propagating to 116 packages across the ecosystem.

The `postinstall` hook triggers automatically when any developer runs `npm install` in a project containing an infected Mastra package. Upon execution, the obfuscated script performs the following actions:

  1. Disables TLS certificate validation, bypassing secure connection checks
  2. Fetches a second‑stage payload from `https://23.254.164.92:8000/update/49890878`
  3. Writes the payload to the system’s temporary directory
  4. Spawns it as a detached, hidden child process
  5. Self‑deletes the `setup.cjs` file to remove forensic evidence

Technical Analysis:

 Examine a package's postinstall hook before installation
npm view [email protected] scripts

Extract and inspect the package tarball without executing it
npm pack [email protected]
tar -xzf easy-day-js-1.11.22.tgz
cat package/package.json | grep -A 5 '"scripts"'

Check for suspicious postinstall scripts in your project
find node_modules -1ame "package.json" -exec grep -l '"postinstall"' {} \;

Windows PowerShell Detection:

 Search for packages with postinstall hooks
Get-ChildItem -Path .\node_modules -Filter package.json -Recurse | ForEach-Object {
$content = Get-Content $<em>.FullName -Raw | ConvertFrom-Json
if ($content.scripts.postinstall) {
Write-Host "Found postinstall in: $($</em>.FullName)" -ForegroundColor Yellow
Write-Host "Script: $($content.scripts.postinstall)" -ForegroundColor Red
}
}
  1. The Attack Surface: Why Mastra Was a Prime Target

Mastra is not just another npm framework—it is an AI development ecosystem that integrates with major LLM providers including OpenAI, Anthropic, and Google, managing persistent memory, Model Context Protocol (MCP) servers, and deploying AI workloads to cloud providers. This makes Mastra packages exceptionally valuable targets because they are commonly installed in:

  • Development environments with access to LLM API keys and cloud tokens
  • CI/CD pipelines that automate builds and deployments
  • Production AI services handling sensitive data and credentials

The attacker’s choice of `dayjs` as the typosquat target was deliberate—it is one of the most widely used date libraries in the npm ecosystem, with millions of weekly downloads. Developers typing `npm install easy-day-js` instead of `dayjs` would never suspect foul play, especially given the identical metadata and functionality.

Mitigation Commands:

 Audit all dependencies for known vulnerabilities
npm audit --production

Use npm's package provenance to verify authenticity
npm audit signatures

Block known malicious IPs at the network level (Linux)
sudo iptables -A OUTPUT -d 23.254.164.92 -j DROP

Windows Firewall rule to block C2 IP
New-1etFirewallRule -DisplayName "Block easy-day-js C2" -Direction Outbound -RemoteAddress 23.254.164.92 -Action Block

3. Detection and Incident Response: Identifying Compromised Environments

If your project uses Mastra packages, immediate investigation is critical. The compromised versions were published on June 17, 2026, between 01:12 UTC and 01:48 UTC. While npm has since removed the malicious packages, any environment that installed them during that window may be compromised.

Indicators of Compromise (IoCs):

  • Presence of `easy-day-js` in `package.json` or `node_modules`
    – Outbound connections to `23.254.164.92:8000`
    – Unexpected `setup.cjs` files in `node_modules/easy-day-js/`
    – Disabled TLS certificate validation in Node.js processes

Step‑by‑Step Remediation Guide:

1. Inventory and Identify:

 List all Mastra packages and their versions
npm list @mastra/ --depth=0

Check if easy-day-js is present
npm list easy-day-js

2. Quarantine Affected Systems:

  • Isolate any machine that ran `npm install` during the attack window
  • Revoke all API keys, cloud tokens, and credentials stored on those systems
  • Assume all secrets on compromised machines are exfiltrated

3. Remove Malicious Packages:

 Remove the malicious dependency
npm uninstall easy-day-js

Update all Mastra packages to the latest patched versions
npm update @mastra/

Clean npm cache to remove any cached malicious tarballs
npm cache clean --force

4. Verify No Persistence:

 Check for hidden processes (Linux)
ps aux | grep -i setup.cjs
ps aux | grep -i 49890878

Check temporary directory for dropped payloads
ls -la /tmp/ | grep -i update

Windows: Check temp and running processes
Get-Process | Where-Object {$<em>.Path -like "Temp"}
Get-ChildItem $env:TEMP -Recurse | Where-Object {$</em>.Name -like "update" -or $_.Name -like "49890878"}

5. Monitor Outbound Traffic:

 Linux: Monitor connections to the C2 IP
sudo tcpdump -i any host 23.254.164.92

Windows: Monitor with netstat
netstat -ano | findstr 23.254.164.92

4. CI/CD Pipeline Hardening: Preventing Supply Chain Attacks

CI/CD pipelines are particularly vulnerable to supply chain attacks because they often have elevated permissions and automated dependency installation. The Mastra attack could easily propagate through CI/CD systems that automatically install the latest dependencies.

Defensive Measures:

1. Lock Dependency Versions:

Use exact versions in `package.json` and commit `package-lock.json` or `pnpm-lock.yaml` to prevent automatic pulling of malicious versions:

{
"dependencies": {
"@mastra/core": "1.2.10",
"dayjs": "1.11.10"
}
}

2. Use npm Package Provenance:

 Enable provenance for your own packages
npm publish --provenance

Verify signatures of installed packages
npm audit signatures

3. Implement Dependency Scanning in CI:

 GitHub Actions example
- name: Scan for malicious packages
run: |
npm install -g @socketsecurity/cli
socket scan

4. Block Known Malicious Domains at Build Time:

 Add to CI pipeline script
echo "127.0.0.1 23.254.164.92" >> /etc/hosts

5. Use Private npm Registry with Allowlist:

 Configure npm to use a private registry that only allows approved packages
npm config set registry https://your-private-registry.com/
  1. The Bigger Picture: Typosquatting as a Persistent Threat

Typosquatting—registering package names that closely resemble popular libraries—remains one of the most effective and低成本 supply chain attack vectors. Attackers research popular packages and identify common typing mistakes based on keyboard layouts, phonetic similarities, and character transpositions.

The `easy-day-js` campaign demonstrates how attackers have evolved beyond simple typosquatting into coordinated ecosystem compromises:
– Pre‑attack reconnaissance: The bait version was published 24 hours before the main attack to establish credibility
– Automated propagation: A scripted sweep added the malicious dependency to 116 packages simultaneously
– Post‑attack stealth: Self‑deleting payloads and TLS disablement complicate forensic analysis

Preventive Checklist:

  • [ ] Use `npm install –ignore-scripts` when installing untrusted packages
  • [ ] Regularly audit dependencies with tools like npm audit, Socket, or `Snyk`
    – [ ] Implement package allowlisting in your organization
  • [ ] Train developers to verify package names before installation
  • [ ] Monitor outbound network connections from build environments
  • [ ] Use subresource integrity (SRI) for CDN‑loaded assets

6. API Security and Threat Intelligence Integration

The OpenSourceMalware platform provides a RESTful API that enables programmatic access to community‑driven threat intelligence, allowing organizations to automate detection of malicious packages.

API Integration Example:

 Query the OpenSourceMalware API for threat intelligence
curl -X GET "https://api.opensourcemalware.com/functions/v1/check" \
-H "Authorization: Bearer osm_your_token_here" \
-H "Content-Type: application/json" \
-d '{
"ecosystem": "npm",
"package_name": "easy-day-js",
"version": "1.11.22"
}'

Expected Response:

{
"malicious": true,
"report_type": "package",
"resource_identifier": "easy-day-js",
"ecosystem": "npm",
"threat_count": 1,
"details": {
"status": "verified",
"severity_level": "critical",
"description": "Typosquat package with postinstall backdoor",
"tags": ["supply-chain", "typosquat", "infostealer"],
"first_seen": "2026-06-17T01:01:00Z"
}
}

Automated CI/CD Integration:

 GitHub Actions workflow to check new dependencies
name: Dependency Security Check
on:
pull_request:
paths:
- 'package.json'
- 'pnpm-lock.yaml'

jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check new dependencies against threat feed
run: |
npm install -g json
NEW_PACKAGES=$(git diff main -- package.json | grep '"+' | grep -v 'json' | sed 's/."(.)":./\1/')
for pkg in $NEW_PACKAGES; do
curl -s "https://api.opensourcemalware.com/functions/v1/check?ecosystem=npm&package=$pkg" \
-H "Authorization: Bearer ${{ secrets.OSM_API_TOKEN }}" \
| jq -e '.malicious == true' && exit 1
done

What Undercode Say:

  • Typosquatting remains a devastatingly effective attack vector: The `easy-day-js` campaign shows that even sophisticated AI development frameworks are vulnerable when attackers invest in credible bait packages and automated propagation. The identical metadata and clean first version made this package nearly impossible to detect through conventional means.
  • The Mastra attack is a wake‑up call for AI‑focused development teams: AI frameworks handle some of the most sensitive credentials in modern infrastructure—LLM API keys, cloud tokens, and proprietary training data. A successful supply chain attack on these ecosystems doesn’t just compromise code; it compromises the AI models and data pipelines that organizations are building their competitive advantage around.
  • Defense requires a multi‑layered approach: No single control would have prevented this attack. Organizations need dependency scanning, network monitoring, CI/CD hardening, developer training, and real‑time threat intelligence integration. The OpenSourceMalware API represents the kind of community‑driven intelligence sharing that can help detect threats before they cascade across the ecosystem.
  • The attack timeline reveals meticulous planning: The 24‑hour gap between the clean bait version and the poisoned payload, combined with the 36‑minute window to compromise 116 packages, indicates a well‑resourced adversary with deep understanding of npm’s ecosystem dynamics. This is not opportunistic hacking—it is strategic, coordinated supply chain warfare.
  • Self‑deleting payloads are the new normal: The fact that the malicious `setup.cjs` file deletes itself after execution means traditional file‑based detection is insufficient. Security teams must monitor process execution, network connections, and behavioral anomalies rather than relying solely on static file signatures.

Prediction:

  • -1 Ecosystem‑wide worm propagation will become standard: The Mastra attack demonstrates how a single typosquatted package can be scripted to infect hundreds of downstream packages in under an hour. Future attacks will likely incorporate self‑propagation mechanisms that automatically infect other maintainer accounts, turning isolated compromises into ecosystem‑wide pandemics.
  • -1 AI development frameworks will be primary targets: As organizations race to integrate AI capabilities, the frameworks powering these systems (Mastra, LangChain, LlamaIndex) will become increasingly attractive targets. Attackers will prioritize ecosystems that handle LLM API keys and cloud credentials—the new crown jewels of the digital economy.
  • +1 Community‑driven threat intelligence will become indispensable: The rapid response by Endor Labs, StepSecurity, and the OpenSourceMalware community demonstrates the power of collaborative defense. Organizations that integrate real‑time threat feeds into their CI/CD pipelines will have a significant advantage over those relying solely on reactive vulnerability scanning.
  • +1 Zero‑trust dependency management will emerge as an industry standard: The Mastra attack will accelerate adoption of practices like package provenance verification, dependency allowlisting, and automated behavioral analysis of postinstall scripts. npm and other package managers will likely introduce stricter controls on lifecycle hooks and mandatory provenance for popular packages.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: The Mastra – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: