A malicious npm dependency, easy-day-js, was added to 143 Mastra packages as a production dependency, causing fresh installs to resolve from a clean decoy version to weaponized [email protected] through a caret version range. Its obfuscated postinstall loader disabled TLS validation, downloaded a second-stage Node.js payload from attacker infrastructure, launched it as a detached process, and deleted itself. The second stage collected host, process, browser-history, application, and wallet-extension inventory, then supported arbitrary follow-on module execution through C2 commands. JFrog also documented cross-platform persistence artifacts under Node-themed paths and advised treating affected developer or CI systems as compromised and rotating exposed credentials.