Mastra npm Hijack Drops Crypto-Stealing RAT on AI Developers

A coordinated supply chain attack targeting the Mastra AI framework compromised 144 npm packages overnight, exposing over 1.1 million weekly downloads to a cryptocurrency-stealing remote access trojan. The attack, discovered on June 17, 2026, exploited a hijacked maintainer account to inject malicious dependencies across the entire @mastra namespace.

How the Attack Unfolded

According to Socket security researchers, an attacker using the npm account "ehindero"—a legitimate former Mastra contributor whose access was never revoked—republished 141 packages between 01:12 and 02:36 UTC. The burst of automated publishing modified core packages including @mastra/core, mastra, and create-mastra.

The malicious payload arrived through a dependency called "easy-day-js," a typosquat of the legitimate dayjs date library. The Hacker News reported that easy-day-js first appeared as a clean library on June 16 at 7:05 AM UTC, with the payload introduced less than 18 hours later.

Multi-Stage Payload Capabilities

The attack chain operates in stages. During installation, an obfuscated postinstall hook downloads a second-stage payload from attacker infrastructure at 23.254.164[.]92, executing with TLS validation disabled. The dropper then self-deletes to cover its tracks.

The deployed RAT targets cryptocurrency wallets aggressively, harvesting data from over 160 browser extensions for wallets including MetaMask, Phantom, and Coinbase Wallet. Beyond crypto theft, the malware exfiltrates browser history and establishes persistence across Windows, macOS, and Linux systems.

SafeDep researchers confirmed the payload communicates with a command-and-control server at 23.254.164[.]123 for data exfiltration, with capabilities to download and execute additional modules on demand.

Why AI Developers Face Higher Risk

Mastra sits at the intersection of AI development and cloud infrastructure. Its packages are commonly installed in environments holding sensitive credentials—LLM API keys, cloud provider tokens, and deployment secrets. A compromised development machine could expose entire AI pipelines and the data they process.

The attack mirrors techniques we saw in the Arch Linux AUR compromise earlier this month, where attackers similarly targeted developer tooling through supply chain poisoning. Both incidents demonstrate how threat actors are increasingly focused on poisoning development dependencies rather than attacking production systems directly.

Organizations building AI applications with frameworks like Mastra should review our malware defense fundamentals to understand the broader threat landscape.

Indicators of Compromise

Security teams should hunt for these artifacts:

Malicious infrastructure:

• 23.254.164[.]92 (payload delivery)
• 23.254.164[.]123 (C2/exfiltration)

Compromised components:

• Package: easy-day-js (author: sergey2016)
• Affected scope: @mastra/* packages updated after June 16, 2026

Immediate Response Steps

If you installed any @mastra/* package since June 16, 2026:

1. Treat the machine as compromised and isolate it from production networks
2. Roll back to package versions published before June 16
3. Rotate all credentials the system could access—cloud keys, LLM API keys, npm tokens, and cryptocurrency wallet keys
4. Audit npm signatures using npm audit signatures to verify package integrity
5. Check for persistence mechanisms in startup scripts and scheduled tasks

The Mastra maintainers have since regained control of the namespace and published clean versions. Developers should verify they're running patched releases before resuming work.

Supply chain attacks against AI/ML tooling will likely intensify as these frameworks become more central to enterprise operations. Requiring SLSA provenance attestations for package publication—as npm is piloting—could help organizations verify the integrity of their dependencies before installation.