Mastra NPM Supply Chain Attack: 140 Packages Backdoor via easy-day-JS Typosquat (www.stepsecurity.io)

On June 17, 2026, a significant supply chain attack targeted the @mastra npm organization, where an attacker introduced the malicious package "easy-day-js" as a dependency in over 140 Mastra AI framework packages. This typosquat of the legitimate dayjs library contained an obfuscated postinstall script that executed a second-stage payload from the attacker's server. With packages having a combined download count exceeding 1.1 million, the compromise poses a severe risk to developers, especially since Mastra is widely used for building AI agents that handle sensitive credentials like API keys and cloud credentials. The attack was meticulously orchestrated, beginning with the publication of a legitimate-looking version of easy-day-js, which allowed the subsequent malicious version to be pulled automatically in npm installs. The dropper used complex obfuscation techniques, including custom Base64 encoding and array rotation, to evade detection by static analysis tools. It disabled TLS verification and ran as a detached background process, making it particularly difficult to identify post-execution. The incident underscores the vulnerability of open-source ecosystems, highlighting the need for enhanced security measures such as automated monitoring tools to detect and prevent similar attacks in the future.