Mastra Packages Trojanized with Malicious Dependency (Campaign)
ID: c370895e-7ffb-5e17-986f-36749c638c2f
STIX ID: report--c370895e-7ffb-5e17-986f-36749c638c2f
Feed Name: Wiz Cloud Threat Landscape
Date Published: 2026-06-17
Date Updated: 2026-07-02
Author: [email protected] (Wiz Threat Research)
On 17 June 2026, attackers hijacked a maintainer account for the Mastra npm organization and republished 116 packages within ~27 minutes, adding a typosquatted dependency ('easy-day-js') that executed an obfuscated postinstall loader; the loader disabled TLS checks, downloaded and launched a second-stage cross-platform infostealer that harvests browser data and over 160 cryptocurrency wallet extensions and establishes persistence, posing a large-scale supply-chain risk due to Mastra's broad usage and high download volume.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
