Mastra was hit by a June 2026 npm supply-chain compromise in which a hijacked or stale maintainer account republished more than 140 Mastra ecosystem packages with a malicious dependency on the typosquatted easy-day-js package. The easy-day-js postinstall loader disabled TLS validation, fetched a second-stage Node.js payload, established cross-platform persistence, and targeted browser data, cryptocurrency wallet extensions, credentials, developer workstations, and CI/build environments. Microsoft attributed the activity to Sapphire Sleet with high confidence, while other vendors noted strong overlap with prior DPRK-linked npm tradecraft and advised treating affected hosts as compromised, rotating credentials, and rebuilding from clean package versions.