A compromised dormant maintainer account republished more than 140 Mastra npm packages with a malicious dependency on `easy-day-js`, a clean-then-armed typosquat that installed a two-stage JavaScript backdoor. The payload stole browser history and data from 166 crypto wallet, password-manager, authenticator, and Zapier extensions, then provided cross-platform persistence, beaconing, fallback DGA domains, and remote code execution. The author found strong overlap with the Axios npm compromise that Microsoft attributed to Lazarus Group, including Hostwinds infrastructure, postinstall delivery, disabled TLS validation, self-deletion, and crypto-focused theft, but cautioned that Mastra attribution remains unconfirmed.