{
  "name": "From package to postinstall payload: Inside the Mastra npm supply chain compromise",
  "slug": "from-package-to-postinstall-payload-inside-the-mastra-npm-supply-chain-compromise",
  "description": "Microsoft Threat Intelligence discovered a large-scale npm supply chain attack compromising over 140 packages in the mastra and @mastra scopes. The attack originated from takeover of the ehindero npm maintainer account, which published poisoned package versions introducing easy-day-js, a malicious typosquat of the popular dayjs library. The malicious package executed a postinstall hook that deployed an obfuscated dropper script, disabled TLS certificate verification, contacted command-and-control infrastructure at 23.254.164.92 and 23.254.164.123, and downloaded a second-stage payload. This 41KB cross-platform Node.js implant installed persistence mechanisms, performed cryptocurrency wallet inventory, exfiltrated browser history and host reconnaissance data, and on Windows performed reflective .NET assembly injection for fileless in-memory code execution. Any developer workstation or CI/CD pipeline executing npm install after compromise was potentially exposed regardless of code usage.",
  "published": "2026-06-18T05:41:52.250000+00:00",
  "created_at": "2026-06-18T14:32:55.175000+00:00",
  "modified_at": null,
  "created_at_opencti": "2026-06-18T14:32:55.175000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "account-takeover",
    "credential-theft",
    "cryptocurrency-clipper",
    "easy-day-js",
    "npm",
    "postinstall-hook",
    "supply-chain-attack",
    "typosquatting"
  ],
  "tags": [],
  "related_entities": {
    "indicators": [
      {
        "id": "7e7d8764-2075-47f9-9bfd-982f6212fc4d",
        "name": "ae70dd4f6bc0d1c8c2848e4e6b51934626c4818dcb5af99d080ddbd7dc337185"
      },
      {
        "id": "1e5a1f0f-5cab-49a5-bdc4-9cc299bf2c8a",
        "name": "4a8860240e4231c3a74c81949be655a28e096a7d72f38fbe84e5b37636b98417"
      },
      {
        "id": "925d62ed-3b6c-4fef-b69d-2c32a3e3096a",
        "name": "b122a9873bedf145ae2a7fd024b5f309007dbb025149f4dc4ac3f7e4f32a36a4"
      },
      {
        "id": "038a41b8-e71d-4ef6-a1fa-c3031f4d5dcf",
        "name": "b73de25c053c3225a077738a1fcbd9ca6966d7b3cd6f5494a30f0aa0eae55c7e"
      },
      {
        "id": "33f96a5f-6d61-4aeb-816e-92d7a3ec87ce",
        "name": "221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badf"
      },
      {
        "id": "72543084-5318-4a78-9799-1ffffae35a60",
        "name": "https://23.254.164.92:8000/update/49890878"
      }
    ],
    "attack_patterns": [
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd",
        "name": "T1036.005"
      },
      {
        "id": "02abb0a8-0ebf-433b-987f-e25675af60d6",
        "name": "T1055.001"
      },
      {
        "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048",
        "name": "T1555.003"
      },
      {
        "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2",
        "name": "T1059.007"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "e87116ac-f56b-4b15-a5e2-a4ed737555d5",
        "name": "T1543.002"
      },
      {
        "id": "880d45b0-e336-4f1a-8893-2796195f5500",
        "name": "T1543.001"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "1d0d9e67-eb8a-439c-a2c7-cab311bb25c4",
        "name": "T1195.002"
      },
      {
        "id": "b7c6c1ad-f183-4128-8427-3891029c73dc",
        "name": "T1539"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "b15c00da-c412-4429-900c-659de612baf5",
        "name": "T1543.003"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ],
    "malware": [
      {
        "id": "80319140-1a56-4b51-a75e-37dede17a571",
        "name": "easy-day-js",
        "slug": "easy-day-js"
      }
    ],
    "observables": [
      {
        "id": "da793886-a733-4533-9f48-f308632dcb57",
        "name": "https://23.254.164.92:8000/update/49890878"
      }
    ]
  },
  "external_refs": [
    {
      "id": "7d453a40-9d23-4260-9a32-fb173d014c0d",
      "standard_id": "external-reference--afbaa4a7-f75b-5ef1-9fb6-0e7f506b3b68",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/",
      "hash": null,
      "external_id": null,
      "created": "2026-06-18T14:32:54.209Z",
      "modified": "2026-06-18T14:32:54.209Z",
      "createdById": null
    },
    {
      "id": "6293b07d-7bcf-4e62-9f1f-d77aaf238d6a",
      "standard_id": "external-reference--cf6528d6-acc4-58ee-bbe9-e549c45bb535",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a338520dd8f528ed63d76f0",
      "hash": null,
      "external_id": "6a338520dd8f528ed63d76f0",
      "created": "2026-06-18T14:32:54.149Z",
      "modified": "2026-06-18T14:32:54.149Z",
      "createdById": null
    }
  ]
}