From package to postinstall payload: Inside the Mastra npm supply chain compromise
ID: d9a96a21-8022-5610-883d-9fd72668e93d
STIX ID: report--d9a96a21-8022-5610-883d-9fd72668e93d
Feed Name: Microsoft Security
Date Published: 2026-06-18
Date Updated: 2026-06-18
Author: Microsoft Defender Security Research Team
Microsoft Threat Intelligence observed a large-scale npm supply-chain attack in which the attacker took over the ehindero maintainer account to inject a typosquatted package (easy-day-js) into 140+ @mastra packages; the malicious postinstall hook ran an obfuscated dropper that disabled TLS certificate validation, contacted C2 servers (23.254.164.92 and .123), fetched a second-stage Node.js implant that establishes persistence across Windows/macOS/Linux, performs host and browser/crypto-wallet collection, and supports remote tasking and reflective .NET in-memory execution on Windows. Microsoft published IOCs, mitigation guidance (pinning versions, using --ignore-scripts, rotating credentials, blocking C2 IPs), and detection queries for Defender products.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
