Mastra npm Supply Chain Attack Compromises 140+ AI Framework Packages
Key Takeaways
- ▸140+ Mastra npm packages compromised via typosquatted easy-day-js dependency with 1.1M+ weekly downloads affected
- ▸Malicious postinstall hook downloads obfuscated second-stage payload that targets LLM API keys, cloud credentials, and CI/CD secrets
- ▸Attack used two-stage approach: clean version published first for credibility, followed by malicious version with caret-pinned dependency for automatic updates
Summary
On June 17, 2026, attackers compromised the @mastra npm organization and injected a malicious dependency called easy-day-js across 140+ packages in the Mastra AI framework ecosystem. Easy-day-js is a typosquat of the legitimate dayjs date library, designed to evade detection by initially being published as a clean version before adding a postinstall dropper payload. The attack targeted environments containing highly sensitive credentials including LLM API keys (OpenAI, Anthropic, Google), cloud provider access keys, database connection strings, and CI/CD secrets.
The attack unfolded in stages: on June 16, a clean version of easy-day-js (1.11.21) was published to establish credibility, then on June 17, version 1.11.22 was released containing an obfuscated postinstall hook that downloads and executes a second-stage payload from attacker-controlled servers. By pinning the dependency with a caret version specifier (^1.11.21), npm automatically resolved to the malicious version during installations, requiring no further changes to the affected @mastra packages. The Mastra organization credentials were compromised around 01:12 UTC, and the attacker mass-published updates across 140+ packages within roughly 87 minutes.
The attack affected packages with a combined weekly download count exceeding 1.1 million, making this a high-impact supply chain incident. Mastra is a rapidly growing open-source TypeScript framework for building AI agents, multi-step workflows, and RAG pipelines with integrations for major LLM providers and cloud deployment targets. The ecosystem's role in AI development infrastructure made it an exceptionally high-value target, as compromised installations would have direct access to the most sensitive credentials in modern software development.
The issue was responsibly disclosed to the Mastra team via GitHub issue #18045, with the attack noted as ongoing at the time of disclosure as additional packages continued to be compromised.
- Mastra npm organization credentials compromised, allowing mass package updates across ecosystem in under 90 minutes
- Supply chain attack highlights critical risk to AI development infrastructure where LLM and cloud provider credentials are routinely stored
Editorial Opinion
This supply chain attack on the Mastra ecosystem represents a sobering reminder that open-source AI infrastructure sits at an exceptionally high-value intersection of development and deployment secrets. The sophistication of the attack—using a credible bait package, version pinning to ensure automatic propagation, and obfuscation to evade detection—demonstrates that supply chain attackers are now directly targeting AI framework ecosystems. For any organization running Mastra packages installed on June 17, 2026 or after, this should trigger immediate security incident response: assume credential compromise and rotate all API keys, cloud provider credentials, and CI/CD tokens. This incident underscores the urgent need for cryptographic package signing, runtime integrity monitoring, and zero-trust assumptions around open-source dependency resolution in AI development workflows.
