- All 144 @mastra/* packages were compromised — attackers hijacked a forgotten contributor npm account and republished every package with a cryptocurrency-stealing RAT in an 88-minute automated burst on June 17, 2026.
- Rotation is mandatory, not optional — any machine that ran
npm installon a Mastra package after June 16 should be treated as compromised; rotate all secrets immediately. - Remediated packages are already published — Mastra maintainers reverted all 144 packages within hours; pin to the latest clean versions and audit your lock files now.
At 01:12 UTC on June 17, 2026, a single forgotten npm contributor account became a master key to one of the most widely-used AI development frameworks in JavaScript. In less than 90 minutes, every one of the 144 packages in the Mastra ecosystem — used by over 1.1 million developers weekly — was silently backdoored with a cross-platform Remote Access Trojan designed to steal cryptocurrency wallets and exfiltrate secrets. If your team has been building AI agents with Mastra, this post is not optional reading.
What Is Mastra and Why Does This Hurt So Much?
Mastra is the leading open-source TypeScript framework for building production AI agents. It provides abstractions for tools, memory, workflows, and multi-agent orchestration that work seamlessly with any LLM provider. The @mastra/core package alone pulls nearly 918,000 downloads per week; the entire scoped namespace adds up to well over 1.1 million combined weekly installs. That reach is precisely what made it an attractive target.
The framework is heavily used in the exact environments where credential theft is most damaging: CI/CD pipelines, cloud-deployed agent servers, and developer workstations that store LLM API keys, cloud provider credentials, database connection strings, and npm publish tokens. A RAT dropped onto one of those environments has a direct path to everything.
The vulnerability was not a flaw in Mastra's code. It was a flaw in npm's trust model: contributor accounts, once granted publish access, retain that access indefinitely — even after the contributor goes inactive. The attacker found one such dormant account belonging to a contributor identified only as ehindero, compromised it, and used it as a launchpad.
The Attack: 88 Minutes, 144 Packages, One Trojanized Dependency
The injection mechanism was elegant in its simplicity. Attackers first published a malicious package called easy-day-js@1.11.22 — a convincing clone of the popular dayjs date library (140 million weekly downloads), but with an extra payload: a cross-platform RAT that targets cryptocurrency wallets and credential stores. They then modified all 144 Mastra packages to depend on this new package and republished them from the compromised ehindero account.
The entire operation ran from 01:12 to 02:39 UTC — 88 minutes start to finish. The automation suggests a pre-built toolkit, not an improvised attack. Security researchers at Endor Labs, JFrog, SafeDep, Socket, Snyk, and StepSecurity all identified the compromise independently and coordinated disclosure within hours of the attack completing. Here is how the malicious dependency appeared in a poisoned package's manifest:
// package.json snippet from a compromised @mastra/* package
{
"name": "@mastra/core",
"version": "0.10.7",
"dependencies": {
"easy-day-js": "1.11.22", // <-- malicious addition
"zod": "^3.22.4",
"ai": "^4.1.0"
}
}The easy-day-js package executed its payload at install time via a postinstall script, meaning the machine was compromised the moment npm install completed — no further user interaction required. The RAT targeted common wallet paths on macOS, Linux, and Windows, and also scraped environment variables for patterns matching API keys, tokens, and credentials.
The Blast Radius: What Gets Stolen
Understanding what the RAT hunted for clarifies exactly what needs to be rotated. Security researchers reverse-engineered the payload and identified several target categories:
- Cryptocurrency wallets: Metamask browser extension storage, Exodus wallet files, Ledger Live app data, and common wallet seed phrase files on all three major operating systems.
- npm tokens:
~/.npmrcfiles and npm token environment variables — meaning compromised developer machines could become second-stage attack vectors against other packages they publish. - Cloud credentials: AWS
~/.aws/credentialsfiles, GCP service account JSON files, and Azure CLI credential caches. - LLM API keys: Environment variables matching patterns like
OPENAI_API_KEY,ANTHROPIC_API_KEY,GROQ_API_KEY, and similar. - SSH private keys: All files under
~/.ssh/matching standard key naming patterns. - Database credentials: Environment variables and
.envfiles scanned for connection string patterns.
The exfiltration target was a command-and-control server outside the attacker's npm account. Even if you uninstall the compromised package now, credentials already exfiltrated remain at risk until rotated.
How to Respond: A Developer Checklist
If any developer or CI runner in your organization executed npm install on a project with Mastra dependencies after June 16, 2026, treat the machine as compromised and work through the following list completely:
- Rotate npm tokens immediately. Any token on the affected machine should be considered stolen. Go to
npmjs.com → Account → Access Tokensand revoke all existing tokens, then generate new ones and update your CI secrets. - Rotate all LLM API keys. Regenerate keys for OpenAI, Anthropic, Groq, Cohere, or any other provider whose key was present in environment variables or
.envfiles on the affected machine. - Rotate cloud provider credentials. For AWS: rotate IAM access keys and audit CloudTrail for unexpected API calls. For GCP: revoke service account keys and audit audit logs. For Azure: rotate client secrets and review activity logs.
- Audit your
package-lock.jsonoryarn.lock. Search foreasy-day-jsas a transitive dependency — its presence confirms exposure. - Pin to clean Mastra versions. Maintainers published remediated versions of all 144 packages within hours. Run
npm update @mastra/core(and all other@mastra/*packages), verifyeasy-day-jsis no longer in your lock file, and commit the updated lock. - Migrate cryptocurrency wallets. If a hardware or software wallet was present on the affected machine, treat the seed phrase as compromised and migrate funds to a new wallet immediately.
# Audit your lock file for the malicious dependency
grep -r "easy-day-js" package-lock.json yarn.lock pnpm-lock.yaml 2>/dev/null
# Update all @mastra/* packages to remediated versions
npm update $(npm ls --depth=0 --json | node -e \
"const d=JSON.parse(require('fs').readFileSync('/dev/stdin'));" \
"console.log(Object.keys(d.dependencies).filter(k=>k.startsWith('@mastra/')).join(' '))")
# Verify the RAT is gone
grep -r "easy-day-js" node_modules/.package-lock.jsonThe Structural Problem: Stale Contributor Accounts
This attack follows a now-familiar pattern: find an npm account with publish rights to a popular package, compromise it via credential stuffing, phishing, or password reuse, then use it as a trusted publisher to inject malicious code. The ehindero account had not been active for months, but its publish permissions on the entire @mastra/* scope remained fully intact.
npm recently announced plans for mandatory 2FA on all accounts with publish rights to packages above a download threshold, and GitHub's package sigstore integration (npm provenance) allows consumers to verify that a published package was built from a specific git commit in a known GitHub Actions workflow. If the Mastra packages had provenance attestations, a mismatch would have been detectable immediately. The lesson for maintainers is clear: audit your contributor list, revoke stale access, enable 2FA, and publish with provenance.
The Bottom Line
The Mastra attack is a high-severity incident that requires immediate action from every developer and team using the framework. The good news is that the remediation path is clear: clean packages are already published, the credential types to rotate are well-defined, and the forensic signal (the easy-day-js entry in your lock file) is easy to check. The harder lesson is organizational: every project should audit its contributor list, enforce 2FA for all publishing accounts, and begin adopting npm provenance attestations to make future supply chain attacks detectable before they spread.
Further Reading
- Snyk Blog: Full technical breakdown of the attack chain, the
easy-day-jsRAT payload, and timeline reconstruction from npm publish timestamps. - StepSecurity Disclosure: Details on the
ehinderoaccount takeover vector and which specific package versions were tainted. - npm Provenance Documentation: Official guide to publishing npm packages with sigstore-based provenance attestations so consumers can verify build origin.
- Endor Labs Supply Chain Risk Report 2026: Broader context on the rise of maintainer account takeover attacks as the dominant supply chain threat vector this year.