A compromised Mastra npm release wave added the typosquatted dependency `easy-day-js`, whose `postinstall` hook executed during dependency installation and pulled a second-stage Node.js implant from attacker-controlled infrastructure. The implant installed persistence across Windows, macOS, and Linux, collected browser history and cryptocurrency wallet extension inventory, and supported operator-delivered Node or shell tasking. Socket reported 141 affected `@mastra/*` packages, including high-download packages such as `@mastra/core`, making developer workstations, CI runners, and build systems that installed affected versions potential compromise points. Remediation centers on treating affected hosts as compromised, removing persistence and package artifacts, clearing caches, rebuilding from clean environments, and rotating developer and CI/CD credentials.