Mastra npm Scope Takeover: 143 Packages Drop a RAT
Contents
143 npm packages compromised in this campaign. Is your project affected?
Am I affected?143 pkgs
Loading scanner...
This campaign: 143 npm packages compromised.
Paste or upload a lockfile, parsed locally against 143 packages.
Try a sample:·
Paste, upload, or drag a lockfile. Parsed locally in your browser.
We never store your lockfile. Parsing happens in your browser. Nothing is sent to a server.
TL;DR
In the early hours of June 17, 2026 (UTC), an attacker using the npm account ehindero republished 143 packages in the @mastra scope, including @mastra/core, mastra, and create-mastra, in a burst that ran from 01:12 to 02:36. The library code was left untouched. The only change was a single new dependency added to each package: easy-day-js, a clone of dayjs that downloads and runs a cryptocurrency-stealing remote access trojan when you install it. The attacker laid the groundwork a day earlier: on June 16 they published the clean easy-day-js, then flipped on the malicious version …
Am I affected?143 pkgs
Loading scanner...
This campaign: 143 npm packages compromised.
Paste or upload a lockfile, parsed locally against 143 packages.
Try a sample:·
Paste, upload, or drag a lockfile. Parsed locally in your browser.
We never store your lockfile. Parsing happens in your browser. Nothing is sent to a server.
TL;DR
In the early hours of June 17, 2026 (UTC), an attacker using the npm account ehindero republished 143 packages in the @mastra scope, including @mastra/core, mastra, and create-mastra, in a burst that ran from 01:12 to 02:36. The library code was left untouched. The only change was a single new dependency added to each package: easy-day-js, a clone of dayjs that downloads and runs a cryptocurrency-stealing remote access trojan when you install it. The attacker laid the groundwork a day earlier: on June 16 they published the clean easy-day-js, then flipped on the malicious version …
IoC
http://23.254.164.123:443
http://23.254.164.92
http://23.254.164.123/49890878
https://23.254.164.123/49890878
http://23.254.164.92:8000/update/49890878
23.254.164.92
23.254.164.123
23.254.164.0
http://23.254.164.92
http://23.254.164.123/49890878
https://23.254.164.123/49890878
http://23.254.164.92:8000/update/49890878
23.254.164.92
23.254.164.123
23.254.164.0