A malicious npm dependency, easy-day-js, was added to 143 Mastra packages as a production dependency, causing fresh installs to resolve from a clean decoy version to weaponized [email protected] through a caret version range. Its obfuscated postinstall …
« Reports in 2026
414 reports
A compromised Mastra npm release wave added the typosquatted dependency `easy-day-js`, whose `postinstall` hook executed during dependency installation and pulled a second-stage Node.js implant from attacker-controlled infrastructure. The implant installe…
An attacker reused a dormant former Mastra contributor npm account to republish 143 @mastra packages on June 17, 2026, adding a dependency on easy-day-js that resolved to a malicious postinstall version. The dropper fetched a second-stage Node RAT from Ho…
From package to postinstall payload: Inside the Mastra npm supply chain compromise by Sapphire Sleet
Sapphire Sleet compromised the Mastra npm ecosystem by taking over the `ehindero` maintainer account and injecting the malicious `easy-day-js` typosquat into more than 140 `mastra` and `@mastra` packages. The weaponized package ran a postinstall dropper t…
AhnLab observed malicious Windows LNK files disguised as resumes that show a benign decoy document while creating batch, PowerShell, and VBScript files under public user directories. The chain registers an `office365` scheduled task to run every 10 minute…
AhnLab observed a malicious Windows shortcut disguised as a personal information consent document that runs obfuscated PowerShell and retrieves additional scripts for fileless execution. The chain creates downloader and loader PowerShell scripts, establis…
A stale former contributor npm account was used to republish the Mastra npm scope with a malicious `easy-day-js` dependency that executed at install time. The dropper disabled TLS validation, fetched a second-stage payload from a raw IP, and installed a c…
North Korean APT activity in May 2026 emphasized developer and software-supply-chain abuse: Lazarus weaponized Git Hooks and Jenkins CI/CD workflows to spread InvisibleFerret, BeaverTail, and FCCCall, raising risks to developer credentials and cryptocurre…
ESRC found that the malicious npm package chai-as-init, distributed in versions 1.4.5 through 1.4.7, impersonated a Chai.js plugin while hiding malicious code in only two files copied into a mostly legitimate-looking pino package tree. Loading the package…
A spear-phishing email impersonating Bithumb reportedly led to malware infection on a Humanity Protocol director's Windows laptop, exposing MetaMask data and production signer keys in activity Quantstamp said was characteristic of DPRK intrusions. With th…
Nisos identified a DPRK state-sponsored employment fraud cell that submitted more than 170,000 job applications to US companies between December 2024 and September 2025, producing 76 employment offers across 22 operatives. The operation used appropriated …
North Korea-linked activity in AhnLab's May 2026 APT trend report centered on developer and software-supply-chain intrusion paths. Lazarus abused Git hooks and Jenkins CI/CD workflows to trigger InvisibleFerret, BeaverTail, and FCCCall infections aimed at…
A developer-targeted LinkedIn recruiting lure sent the author to a public GitHub repository containing a hidden Node.js backdoor. The malicious code in `app/test/index.js` assembled `https://rest-icon-handler.store/icons/77` and was designed to execute wh…
North Korean IT-worker operators used stolen identities from Bosnia and Serbia to create freelance profiles on platforms such as Guru and GoLance, seeking work with Western companies while hiding their true origin. The activity is tied in an MSMT sanction…
APT37 used Microsoft-themed spear phishing to deliver a ZIP archive containing a malicious LNK file that launched a PowerShell and batch-based infection chain. The chain installed an official embedded Python runtime, executed compiled Python bytecode disg…