140+ Mastra npm Packages Compromised in Coordinated Supply Chain Attack
140+ Mastra npm packages compromised via malicious dependency easy-day-js.
Summary
A coordinated supply chain attack has compromised over 140 npm packages within the @mastra/* namespace. The attack was delivered through a typosquatted dependency, easy-day-js, which was injected into the Mastra packages' dependency lists. This malicious dependency contains an obfuscated payload that executes during 'npm install', disabling TLS validation and fetching a second-stage infostealer targeting cryptocurrency wallets and browser data across multiple operating systems.
Full text
Research/Security Newsnpm Package Uses Prompt Injection and Token Flooding to Disrupt AI Malware ScannersA new npm package tests AI malware scanners with prompt injection, safety-triggering comments, context flooding, and obfuscated JavaScript.By Jean-Charles Noirot Ferrand - Jun 16, 2026
Indicators of Compromise
- malware — infostealer