{
  "name": "140+ npm Packages Compromised in Coordinated Supply Chain Attack",
  "slug": "140-npm-packages-compromised-in-coordinated-supply-chain-attack",
  "description": "More than 140 Mastra npm packages were compromised through a supply chain attack that injected a typosquatted dependency called easy-day-js. A single npm account published malicious versions within a short timeframe, affecting packages including @mastra/core with over 918K weekly downloads. The attack executes during npm install via a postinstall hook, deploying a two-stage payload. The first stage disables TLS validation and downloads a second-stage implant that installs cross-platform persistence on Windows, macOS, and Linux. This implant functions as a command-and-control client that steals cryptocurrency wallet inventories from 166+ browser extensions, harvests browser history, and can execute arbitrary code sent by operators. The malicious code executes before developers import packages, compromising systems during installation.",
  "published": "2026-06-17T13:38:33.443000+00:00",
  "created_at": "2026-06-17T20:24:00.883000+00:00",
  "modified_at": "2026-06-17T18:24:00+00:00",
  "created_at_opencti": "2026-06-17T20:24:00.883000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "cross-platform stealer",
    "cryptocurrency theft",
    "easy-day-js",
    "infostealer",
    "npm packages",
    "persistence mechanism",
    "postinstall hook",
    "supply chain attack",
    "typosquatting"
  ],
  "tags": [
    "2026-06-17",
    "cross-platform stealer",
    "cryptocurrency theft",
    "easy-day-js",
    "infostealer",
    "npm packages",
    "persistence mechanism",
    "postinstall-hook",
    "supply chain attack",
    "typosquatting"
  ],
  "related_entities": {
    "indicators": [
      {
        "id": "147a7282-10d2-46b2-8d39-0d447da07c55",
        "name": "hwsrv-1327785.hostwindsdns.com"
      },
      {
        "id": "478f5fa1-841c-4310-bc16-019fedcba3ee",
        "name": "https://23.254.164.92:8000/update/49890878'"
      },
      {
        "id": "925d62ed-3b6c-4fef-b69d-2c32a3e3096a",
        "name": "b122a9873bedf145ae2a7fd024b5f309007dbb025149f4dc4ac3f7e4f32a36a4"
      },
      {
        "id": "696f0ebf-fd49-4817-b5b6-e781dc0d502e",
        "name": "hwsrv-1327786.hostwindsdns.com"
      },
      {
        "id": "29323299-fe2e-4e27-b82a-0e71ad883c15",
        "name": "c38954e85bf5433e61e7c8f4230336695624ae88b6953afabf7bf817aa91b638"
      },
      {
        "id": "33f96a5f-6d61-4aeb-816e-92d7a3ec87ce",
        "name": "221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badf"
      },
      {
        "id": "4e08d2f3-6fca-4608-95ce-e131d89a8f28",
        "name": "cdec8b20338beb708b5be8d3d7a3041a35a8b0fb92f9186262f312d55ff82066"
      },
      {
        "id": "3bcaf04d-6186-4206-95d9-0f0ce1086699",
        "name": "9570f77a5e1511869f4e554e7166df9fde081f2583e293c2569621792ed7d9c9"
      },
      {
        "id": "72543084-5318-4a78-9799-1ffffae35a60",
        "name": "https://23.254.164.92:8000/update/49890878"
      }
    ],
    "attack_patterns": [
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "5c67e5d2-bc85-4ce0-822d-f2f5d3b0ae4e",
        "name": "T1185"
      },
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048",
        "name": "T1555.003"
      },
      {
        "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2",
        "name": "T1059.007"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "b9f29eb3-d591-4561-9cf0-0230a299a11c",
        "name": "T1547.013"
      },
      {
        "id": "e87116ac-f56b-4b15-a5e2-a4ed737555d5",
        "name": "T1543.002"
      },
      {
        "id": "880d45b0-e336-4f1a-8893-2796195f5500",
        "name": "T1543.001"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "1d0d9e67-eb8a-439c-a2c7-cab311bb25c4",
        "name": "T1195.002"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "6f00068c-812c-4e2b-9100-2cfa86b3aed9",
        "name": "T1132.001"
      },
      {
        "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9",
        "name": "T1497.001"
      },
      {
        "id": "b15c00da-c412-4429-900c-659de612baf5",
        "name": "T1543.003"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ],
    "malware": [
      {
        "id": "80319140-1a56-4b51-a75e-37dede17a571",
        "name": "easy-day-js",
        "slug": "easy-day-js"
      }
    ],
    "observables": [
      {
        "id": "2674afda-795a-4e1d-9e55-56eb7c4cb3ea",
        "name": "hwsrv-1327785.hostwindsdns.com"
      },
      {
        "id": "2c61bd64-d68a-4f78-a843-3bfb05627cc9",
        "name": "hwsrv-1327786.hostwindsdns.com"
      },
      {
        "id": "da793886-a733-4533-9f48-f308632dcb57",
        "name": "https://23.254.164.92:8000/update/49890878"
      },
      {
        "id": "409901f9-e340-40a0-a313-5f8e59515982",
        "name": "https://23.254.164.92:8000/update/49890878'"
      },
      {
        "id": "",
        "name": "b122a9873bedf145ae2a7fd024b5f309007dbb025149f4dc4ac3f7e4f32a36a4"
      },
      {
        "id": "",
        "name": "c38954e85bf5433e61e7c8f4230336695624ae88b6953afabf7bf817aa91b638"
      },
      {
        "id": "",
        "name": "221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badf"
      },
      {
        "id": "",
        "name": "cdec8b20338beb708b5be8d3d7a3041a35a8b0fb92f9186262f312d55ff82066"
      },
      {
        "id": "",
        "name": "9570f77a5e1511869f4e554e7166df9fde081f2583e293c2569621792ed7d9c9"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Technology"
      },
      {
        "id": "",
        "name": "hwsrv-1327785.hostwindsdns.com"
      },
      {
        "id": "",
        "name": "hwsrv-1327786.hostwindsdns.com"
      }
    ]
  },
  "external_refs": [
    {
      "id": "e9ac6c87-49f8-4eee-aa3c-027fa230da3b",
      "standard_id": "external-reference--c5cff858-b0a3-527d-898a-a7fc7f3eb412",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a32a359d57a0d5d5999e35f",
      "hash": null,
      "external_id": "6a32a359d57a0d5d5999e35f",
      "created": "2026-06-17T20:24:00.797Z",
      "modified": "2026-06-17T20:24:00.797Z",
      "createdById": null
    },
    {
      "id": "4ab689cc-53dc-490e-a1f9-5ba96d39b952",
      "standard_id": "external-reference--d7a24820-c396-5c27-975f-fde2ae270789",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://socket.dev/blog/mastra-npm-packages-compromised",
      "hash": null,
      "external_id": null,
      "created": "2026-06-17T20:24:00.825Z",
      "modified": "2026-06-17T20:24:00.825Z",
      "createdById": null
    }
  ]
}