A stale former contributor npm account was used to republish the Mastra npm scope with a malicious `easy-day-js` dependency that executed at install time. The dropper disabled TLS validation, fetched a second-stage payload from a raw IP, and installed a cross-platform cryptocurrency wallet stealer and RAT with persistence on macOS, Linux, and Windows. Snyk observed similarities to the earlier Axios npm compromise attributed to Sapphire Sleet/BlueNoroff, but stated that attribution for the Mastra incident itself is unconfirmed. Affected users are advised to treat installs during the June 17, 2026 exposure window as host-compromise events, rotate credentials, check for persistence artifacts, and upgrade to clean Mastra releases.