Mastra AI npm Packages Backdoored via easy-day-js Typosquat

Microsoft Threat Intelligence has attributed a supply chain attack on the Mastra AI framework to the North Korean state-sponsored group Sapphire Sleet. The June 17 incident compromised the @mastra npm scope, exposing developers to credential theft and cryptocurrency-stealing malware. For teams building with the Mastra framework, which sees over 1.1 million weekly downloads, the breach requires an immediate audit of CI/CD environments.

The npm Hijack

Attackers targeted a dormant npm contributor account belonging to a former Mastra developer, username ehindero. Over an 84-minute window early on June 17, 2026, the attackers republished 144 packages under the @mastra scope. Affected packages included core framework components like mastra, @mastra/core, and create-mastra.

The attackers did not alter the framework’s source code. They injected a single malicious dependency named easy-day-js, a typosquat of the popular dayjs library.

Dropper Mechanics and Payload

The injected easy-day-js package operated as a multi-stage malware dropper triggered during the npm installation process.

When a developer or build pipeline installed a compromised Mastra package, easy-day-js executed a postinstall script. The script immediately disabled Transport Layer Security (TLS) certificate verification to bypass local network security monitoring. It then established a connection with an attacker-controlled command-and-control server.

The final payload was a cross-platform Remote Access Trojan (RAT) spawned as a detached, hidden process. Once running, the script deleted its own dropper files to hinder forensic analysis. The RAT actively hunted for authentication tokens, API keys, and cryptocurrency wallets.

Threat Actor Profile

Microsoft identified the attackers as Sapphire Sleet, also tracked as BlueNoroff, with high confidence on June 19. The group is a subset of North Korea’s state-sponsored cyber apparatus, traditionally focused on cryptocurrency theft to fund state operations.

The group’s tradecraft here matches their historical patterns. The use of clean-then-armed typosquats and detached spawning mechanisms aligns with earlier 2026 campaigns. Security firms including SafeDep, Snyk, and Orca Security detected the anomalous republishing events shortly after the 84-minute burst.

Attack Detail	Information
Date of Compromise	June 17, 2026
Attribution Date	June 19, 2026
Affected Scope	143-144 packages (@mastra)
Malicious Package	easy-day-js
Exploited Account	ehindero
Target Ecosystem	~1.1 million weekly downloads

Supply Chain Realities for AI Frameworks

Mastra AI reached version 1.0 in January 2026 and recently closed a $22M Series A. As an open-source TypeScript framework for agentic systems, it sits in highly privileged environments with access to production cloud keys and enterprise data stores.

This incident highlights that AI tooling remains highly vulnerable to conventional infrastructure exploits. The breach did not leverage prompt injection or model manipulation. Much like the recent LiteLLM PyPI package compromised by a supply chain attack, this event exploited structural weaknesses in package registries. The attackers relied entirely on the lack of mandatory credential expiration for inactive maintainers.

If your infrastructure pulled Mastra packages between June 17 and June 19, you must assume your environment is compromised. Rotate all cloud credentials, revoke exposed API keys, and audit your package lockfiles for the easy-day-js dependency.