Shares tags: SupplyChain, NPM, Mastra • Shares 7 IOCs • Published within a week
Mastra npm Scope Takeover: 143 Packages Drop a RAT
2026-06-17 • Safe Dep •
https://safedep.io/mastra-npm-scope-takeover-supply-chain-attack/
An attacker reused a dormant former Mastra contributor npm account to republish 143 @mastra packages on June 17, 2026, adding a dependency on easy-day-js that resolved to a malicious postinstall version. The dropper fetched a second-stage Node RAT from Hostwinds infrastructure, installed persistence across macOS, Linux, and Windows, and targeted browser profiles for cryptocurrency wallet extensions and other host data. SafeDep did not confirm attribution, but noted close tradecraft overlap with the Axios npm compromise attributed by Microsoft to Sapphire Sleet.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | hwsrv-1327785.hostwindsdns.com | 2026-06-20 | 2026-06-20 |
| DOMAIN | hwsrv-1327786.hostwindsdns.com | 2026-06-20 | 2026-06-20 |
| URL | https://23.254.164.123/49890878 | 2026-06-20 | 2026-06-20 |
| HASH | c18fd75526533dfc90e91e2fb80effaf | 2026-06-20 | 2026-06-20 |
| HASH | 4a8860240e4231c3a74c81949be655a… | 2026-06-20 | 2026-06-20 |
| HASH | b13415f8c734e0d45aeca083ffcfe153 | 2026-06-20 | 2026-06-20 |
| URL | https://23.254.164.92:8000/upda… | 2026-06-20 | 2026-06-20 |
| IPv4 | 23.254.164.123 | 2026-06-20 | 2026-06-20 |
| IPv4 | 23.254.164.92 | 2026-06-20 | 2026-06-20 |
Related Reports
Shares tags: SupplyChain, NPM, Mastra • Shares 6 IOCs • Published within a week
2026-06-17 •
86% Match
From package to postinstall payload: Inside the Mastra npm supply chain compromise by Sapphire Sleet
Microsoft
Shares tags: SupplyChain, NPM, Mastra • Shares 6 IOCs • Published within a week
Shares tags: SupplyChain, NPM, Mastra • Shares 4 IOCs • Published within a week
Shares tags: SupplyChain, NPM, Mastra • Shares 3 IOCs • Published within a week
Shares tags: SupplyChain, NPM, Mastra • Shares 3 IOCs • Published within a week