140+ npm Packages Compromised in Coordinated Supply Chain Attack
Essential information
- Published
- 17/06/2026 15:38
- Modified
- 17/06/2026 20:24
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- cross-platform stealer cryptocurrency theft easy-day-js infostealer npm packages persistence mechanism postinstall hook supply chain attack typosquatting
- Tags
- 2026-06-17 cross-platform stealer cryptocurrency theft easy-day-js infostealer npm packages persistence mechanism postinstall-hook supply chain attack typosquatting
- Related entities
- 9 indicators, 9 observables, 20 techniques (mitre), 1 malware, 3 others
Description
More than 140 Mastra npm packages were compromised through a supply chain attack that injected a typosquatted dependency called easy-day-js. A single npm account published malicious versions within a short timeframe, affecting packages including @mastra/core with over 918K weekly downloads. The attack executes during npm install via a postinstall hook, deploying a two-stage payload. The first stage disables TLS validation and downloads a second-stage implant that installs cross-platform persistence on Windows, macOS, and Linux. This implant functions as a command-and-control client that steals cryptocurrency wallet inventories from 166+ browser extensions, harvests browser history, and can execute arbitrary code sent by operators. The malicious code executes before developers import packages, compromising systems during installation.