logo

From package to postinstall payload: Inside the Mastra npm supply chain compromise

ID: d9a96a21-8022-5610-883d-9fd72668e93d

STIX ID: report--d9a96a21-8022-5610-883d-9fd72668e93d

Feed Name: Microsoft Security

Threat Score
90/100

Date Published: 2026-06-18

Date Updated: 2026-06-18

Author: Microsoft Defender Security Research Team

...
...

Microsoft Threat Intelligence observed a large-scale npm supply-chain attack in which the attacker took over the ehindero maintainer account to inject a typosquatted package (easy-day-js) into 140+ @mastra packages; the malicious postinstall hook ran an obfuscated dropper that disabled TLS certificate validation, contacted C2 servers (23.254.164.92 and .123), fetched a second-stage Node.js implant that establishes persistence across Windows/macOS/Linux, performs host and browser/crypto-wallet collection, and supports remote tasking and reflective .NET in-memory execution on Windows. Microsoft published IOCs, mitigation guidance (pinning versions, using --ignore-scripts, rotating credentials, blocking C2 IPs), and detection queries for Defender products.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.