CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 17, 2026

Hackers Compromised 140+ Mastra npm Packages to Deploy Password-Stealing Malware

Cybersecurity News Archived Jun 17, 2026 ✓ Full text saved

A sophisticated supply chain attack has targeted the Mastra-AI npm ecosystem, with researchers from Microsoft and Socket identifying over 141 compromised packages designed to silently deploy an infostealer payload on developer machines, CI/CD runners, and build environments. The campaign, detected on June 17, 2026, exploited a typosquatting dependency to deliver multi-stage malware capable of stealing […] The post Hackers Compromised 140+ Mastra npm Packages to Deploy Password-Stealing Malware a

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security Hackers Compromised 140+ Mastra npm Packages to Deploy Password-Stealing Malware By Guru Baran June 17, 2026 A sophisticated supply chain attack has targeted the Mastra-AI npm ecosystem, with researchers from Microsoft and Socket identifying over 141 compromised packages designed to silently deploy an infostealer payload on developer machines, CI/CD runners, and build environments. The campaign, detected on June 17, 2026, exploited a typosquatting dependency to deliver multi-stage malware capable of stealing cryptocurrency wallet data, browser history, and sensitive credentials. Between 01:15 and 02:36 UTC on June 17, a single npm account identified as ehindero mass-published malicious versions of 141 @mastra/* packages in a tight window. Critically, the compromised package code itself was byte-for-byte identical to legitimate builds; the only change was a single injected dependency in each manifest: json"easy-day-js": "^1.11.21" easy-day-js is a deliberate typosquat of the popular dayjs library, published the day prior by a separate account (sergey2016). Version 1.11.21 was a clean copy of dayjs to establish a benign history. Version 1.11.22, however, added a weaponized postinstall hook running node setup.cjs, executing the malicious payload automatically during npm install — before any developer imports or uses the package. The affected packages include @mastra/core, which receives over 918,000 weekly npm downloads, giving this campaign a substantial potential blast radius. Mastra npm Packages Compromise Chain Stage 1 — The Loader (setup.cjs): Obfuscated using obfuscator.io, the loader disables TLS certificate verification (NODE_TLS_REJECT_UNAUTHORIZED=0), writes tracking files (~/.pkg_history, ~/.pkg_logs) to fingerprint the victim machine, fetches a second-stage payload from 23[.]254[.]164[.]92:8000/update/49890878, and spawns it as a detached, hidden background process pointing to C2 server 23[.]254[.]164[.]123:443. The loader then self-deletes to eliminate forensic traces. Stage 2 — The Implant (protocal.cjs): A ~41 KB cross-platform Node.js tasking client, the implant installs login persistence across all major operating systems a Windows Registry Run key (NvmProtocal), a macOS LaunchAgent (com.nvm.protocal.plist), and a Linux systemd user unit (nvmconf.service). All persistence mechanisms are disguised as legitimate Node.js tooling to blend into developer environments. Once persistent, the implant beacons to the operator’s C2 and awaits arbitrary follow-on commands. Built-in collection capabilities include inventorying 166 cryptocurrency wallet browser extensions (MetaMask, Phantom, Coinbase Wallet, Binance Wallet, TronLink, and others), exfiltrating Chrome, Edge, and Brave browser history via Node’s built-in SQLite module, and conducting host reconnaissance, including running processes and installed applications. Mitigations Any system that ran npm install on affected @mastra/* versions should be treated as compromised. Developers should immediately run npm ls easy-day-js to check for exposure, remove affected versions, and pin to mastra@1.13.0 using lockfiles. Remove persistence artifacts manually from all affected platforms and rotate all credentials that may have been present in the installation environment including npm tokens, GitHub tokens, cloud provider keys, and CI/CD secrets. For high-value cryptocurrency wallets, migrate funds to a new wallet generated from a fresh seed phrase on a clean device. Going forward, organizations should run npm install --ignore-scripts by default in CI pipelines, enforce lockfiles, implement package cooldown periods for newly published versions, and monitor for outbound connections to raw IP addresses during build processes. IoCs Network Indicators Type Indicator Description IP Address 23.254.164[.]92 Stage-2 payload delivery server URL https://23.254.164[.]92:8000/update/49890878 Stage-2 download endpoint IP Address 23.254.164[.]123 C2 exfiltration server URL https://23.254.164[.]123:443/49890878 C2 exfiltration endpoint ASN AS54290 Hostwinds LLC (attacker-controlled infrastructure) Domain hwsrv-1327786.hostwindsdns[.]com Associated attacker domain Domain hwsrv-1327785.hostwindsdns[.]com Associated attacker domain Code & String Indicators Type Indicator Description Registry Key NvmProtocal Windows HKCU\...\CurrentVersion\Run persistence value LaunchAgent Label com.nvm.protocal macOS login persistence agent Systemd Unit nvmconf.service Linux systemd user-level persistence unit Filename protocal.cjs Dropped Stage-2 implant filename Directory NodePackages Drop directory name across Windows, macOS, and Linux File .pkg_history Loader beacon file written to temp directory File .pkg_logs XOR-encoded campaign marker file URL Path /update/49890878 Stage-2 download path and bot identifier CISO & Security Leaders: Your next breach may not have a face. Join ISC2’s LIVE webinar, “Ghost in the Machine” Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Hackers Abuse Steam Workshop Application Wallpapers to Hijack Active Steam Sessions China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices for Rapid Vulnerability Exploitation Microsoft 365 Device Code Phishing Campaign Bypasses Password Theft With Legitimate Login Flow Oracle Emergency Security Update to Fix Critical RCE Vulnerability GoFlateLoader Uses Massive PE Overlay to Deliver Lumma, Vidar, and StealC Infostealers Latest News Cyber Security News Critical LiteLLM Flaw Allows Authentication Bypass via Host Header Injection Chrome Critical Chrome Vulnerabilities Allow Attackers to Execute Arbitrary Code – Update Now! Cyber Security News Hackers Use Rokarolla Android Malware to Disable Google Play Protect and Control Devices Cyber Security News Deno-Based RAT Uses Microsoft Teams Impersonation and Mailbombing to Target Employees Cyber Security Hackers Abuse Steam Workshop Application Wallpapers to Hijack Active Steam Sessions
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 17, 2026
    Archived
    Jun 17, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗