Shares tags: SupplyChain, NPM, T1195 • Shares 3 IOCs • Published within a week
Mastra npm Supply Chain Attack: 140+ Packages Backdoored via easy-day-js Typosquat
2026-06-17 • Step Security •
https://www.stepsecurity.io/blog/mastra-npm-packages-compromised-using-easy-day-js
An attacker compromised the @mastra npm organization and republished more than 140 Mastra ecosystem packages with a dependency on the typosquatted `easy-day-js` package. The malicious `[email protected]` release used a postinstall dropper to disable TLS validation, download a second-stage payload from `23.254.164.92:8000`, run it in the background with `23.254.164.123:443` as C2, and delete its own dropper file. StepSecurity observed the behavior in a controlled GitHub Actions run and blocked the stage-two download with Harden Runner, preventing follow-on execution and likely credential exfiltration from developer or CI environments.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | https://23.254.164.92:8000/upda… | 2026-06-16 | 2026-06-18 |
| IPv4 | 23.254.164.123 | 2026-06-16 | 2026-06-18 |
| IPv4 | 23.254.164.92 | 2026-06-16 | 2026-06-18 |
| [email protected] | 2026-06-17 | 2026-06-17 |
Related Reports
2026-06-17 •
90% Match
#SupplyChain
#NPM
#T1082
#T1059.007
#T1027
#T1552
#T1057
#T1195
#T1105
#T1195.001
#T1547
#T1518
#Mastra
Shares tags: SupplyChain, NPM, T1195 • Shares 3 IOCs • Published within a week
2026-06-17 •
84% Match
From package to postinstall payload: Inside the Mastra npm supply chain compromise by Sapphire Sleet
Microsoft
Shares tags: SupplyChain, NPM, Mastra • Shares 4 IOCs • Published within a week
Shares tags: SupplyChain, NPM, T1195.001 • Shares 3 IOCs • Published within a week
Shares tags: SupplyChain, NPM, T1195 • Shares 3 IOCs • Published within a week
Shares tags: SupplyChain, NPM, Mastra • Shares 3 IOCs • Published within a week