Feed
CriticalPublished 17 Jun 2026Updated 21 Jun 202617 packages · 17 versions

Mastra AI npm scope takeover via `easy-day-js` typosquat dropper

Summary

On 2026-06-17 between ~01:12 and 02:36 UTC, the dormant ehindero contributor account — never revoked from the @mastra scope — was used to mass-publish ~144 trojanised @mastra/* releases plus mastra and create-mastra, each declaring a new easy-day-js dependency whose postinstall hook drops a cross-platform crypto-wallet stealer / RAT. Microsoft attributes the activity to Sapphire Sleet (BlueNoroff) with high confidence; combined exposure ~1.1M weekly downloads.

account-takeovertyposquatinfostealercrypto-wallet-draincredential-theftobfuscationdormant-domain
Threat actor
Sapphire Sleet (BlueNoroff)
Detected by
Socket · Microsoft · JFrog · Snyk · StepSecurity · Mend · Aikido · Phoenix Security · SafeDep · OX Security · Endor Labs
Also known as
easy-day-js campaign · Mastra scope takeover
Ecosystems
npm
Packages tracked
17

What happened

Between 01:12 and 02:36 UTC on 2026-06-17 (18:12–19:36 PT 2026-06-16), an attacker logged into the dormant npm account ehindero — a legitimate former Mastra contributor whose owner permissions on the @mastra scope had never been revoked — and mass-published trojanised versions of ~144 packages across the namespace. The account had been inactive for ~16 months and the publish email had been quietly switched from a gmail.com address to a tutamail.com one, consistent with a credential takeover followed by email substitution.

The code inside each @mastra/* tarball was byte-for-byte identical to its clean predecessor save for a single added production dependency: easy-day-js. That package, a dayjs typosquat published a day earlier (2026-06-16 07:05 UTC) by an unrelated account sergey2016, shipped a clean 1.11.21 release as bait, then a weaponised 1.11.22 carrying an obfuscated postinstall hook (setup.cjs). Because every affected @mastra/* package declared the dependency as ^1.11.21, fresh installs resolved to the malicious 1.11.22 and ran the dropper automatically.

The loader disables TLS certificate verification, fetches a second-stage payload from 23.254.164.92:8000/update/49890878, executes it as a detached background process pointing at C2 23.254.164.123:443, then deletes itself. The second stage is a cross-platform information stealer plus remote-access trojan: it harvests browser history and the stored data of >160 cryptocurrency wallet browser extensions (MetaMask, Phantom, Coinbase Wallet, Solflare, OKX, Keplr, ...), installs persistence on Windows / macOS / Linux, and exfiltrates to the operators' C2. Microsoft Threat Intelligence also documents two additional staging domains — teams[.]onweblive[.]org and maskasd[.]com — and publishes SHA-256 hashes for setup.cjs, easy-day-js-1.11.21.tgz, and easy-day-js-1.11.22.tgz for IOC searches.

Mastra discovered the publishes at 20:45 PT, removed ehindero from the scope, unpublished 110 of the 116 newly-published versions, deprecated the remaining six that npm's unpublish window blocked, and forward-rolled clean releases via PR #18056 by 23:57 PT. Combined weekly download exposure across the affected packages exceeds 1.1M; @mastra/core alone receives >918K weekly installs (~4M monthly).

Attribution — Sapphire Sleet (BlueNoroff)

On 2026-06-17 Microsoft Threat Intelligence published a long-form analysis attributing the activity with high confidence to Sapphire Sleet (also tracked as BlueNoroff / UNC1069), a North Korea-nexus actor that primarily targets financial-sector and cryptocurrency firms. The Hostwinds-hosted C2, the clean-then-armed typosquat playbook, the TLS-off / detached-spawn / self-delete postinstall dropper, and the >160-wallet-extension stealer payload all match the Axios npm compromise of 2026-03-31 that Microsoft and Google also attributed to Sapphire Sleet. This is the second wide-scope npm registry takeover Microsoft has tied to the cluster within 2026.

Independent disclosures from Socket, JFrog, Snyk, StepSecurity, Mend, Aikido, Phoenix Security, SafeDep, OX Security, Endor Labs, and Cloudsmith converge on the same package set, IOCs, and account-takeover root cause. The easy-day-js package itself was removed from npm shortly after Socket's automated flag, ~6 minutes after the first malicious publish.

Affected packages (17)

  • npm@mastra/agent-browser
    0.3.2
  • npm@mastra/auth
    1.0.3
  • npm@mastra/core
    1.42.1
  • npm@mastra/evals
    1.3.1
  • npm@mastra/github-signals
    0.1.2
  • npm@mastra/loggers
    1.1.3
  • npm@mastra/mem0
    0.1.14
  • npm@mastra/memory
    1.20.4
  • npm@mastra/node-audio
    0.1.8
  • npm@mastra/node-speaker
    0.1.1
  • npm@mastra/rag
    2.2.2
  • npm@mastra/react
    1.0.1
  • npm@mastra/schema-compat
    1.2.12
  • npm@mastra/voice-playai
    0.12.2
  • npmcreate-mastra
    1.13.1
  • npmeasy-day-js
    1.11.22
  • npmmastra
    1.13.1

Impact

  • Cryptocurrency wallet theft: 160+ browser-extension wallets (MetaMask, Phantom, Coinbase, Solflare, OKX, Keplr) drained on install
  • Cross-platform infostealer + RAT with Windows/macOS/Linux persistence
  • CI/CD runner compromise: postinstall runs automatically during npm install
  • Stored secrets and tokens exfiltrated to attacker C2 (23.254.164.123:443)
  • Loader disables TLS verification before fetching the second stage

What to do

  1. 1Run npm ls easy-day-js in every project and CI runner — any match indicates execution of the dropper
  2. 2Treat any host that installed an affected @mastra/* version on or after 2026-06-17 01:12 UTC as compromised; rebuild from a known-good image
  3. 3Pin mastra@1.13.0, create-mastra@1.13.0, @mastra/core@1.42.0 (or the post-incident clean release pushed by Mastra in PR #18056) and reinstall after deleting node_modules and the lockfile entries
  4. 4Rotate browser-extension wallet seed phrases, npm tokens, cloud credentials, and any SSH/Git keys accessible from the affected machine
  5. 5Block egress to 23.254.164.92 and 23.254.164.123 and search proxy/IDS logs for prior contacts
  6. 6Audit npm owner lists for every scope you control and revoke any dormant former-contributor access

References

npm-2026-06-17-mastra-easy-day-js