{
  "title": "Mastra npm Supply Chain Attack",
  "summary": "On 2026-06-17, public reporting described an @mastra package-scope compromise that pushed easy-day-js as a malicious dependency across 140+ packages, executed a setup.cjs postinstall dropper, and exposed more than 1.1 million weekly downloads to second-stage credential theft and remote code execution behavior.",
  "date": "2026-06-17",
  "severity": "critical",
  "tags": [
    "npm",
    "supply-chain",
    "typosquatting",
    "postinstall",
    "credential-theft",
    "mastra"
  ],
  "sources_count": 4,
  "indicators": {
    "slug": "mastra-npm-supply-chain-attack",
    "since": "2026-06-17T00:00:00Z",
    "until": "2026-06-17T23:59:59Z",
    "ecosystem": "",
    "cves": [],
    "cwes": [],
    "advisoryIds": [],
    "products": [],
    "packages": [],
    "versions": [],
    "affectedVersions": [],
    "fixedVersions": [],
    "files": [],
    "paths": [],
    "services": [],
    "domains": [
      "setup.cjs",
      "yarn.lock",
      "bun.lock"
    ],
    "urls": [
      "https://23.254.164.92:8000/update/49890878"
    ],
    "ips": [
      "23.254.164.92",
      "23.254.164.123"
    ],
    "hashes": [
      "221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badf"
    ],
    "processPatterns": [],
    "networkPatterns": [],
    "telemetrySelectors": []
  }
}