Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Mastra @mastra/* npm packages hit by network compromise

Incident
First reported
Last updated
Happening score
H score 24
1 unique sources, 1 articles

Summary

Hide ▲

The Mastra @mastra/* npm packages were compromised in a software supply chain attack, putting installs at risk of workstation, CI runner, and build-environment compromise. The malicious wave used a hijacked ehindero account to mass-publish more than 140 packages on 2026-06-17. A dependency on easy-day-js introduced a postinstall loader that fetched a second stage from 23.254.164[.]92 and exfiltrated data to 23.254.164[.]123.

Related Happenings

Easy-day-js Mastra package-publishing campaign

Campaign
H score30 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

How related: "A single npm account (ehindero) mass-published more than 140 malicious packages across the Mastra scope within a short window on 2026-06-17," Socket said.

About this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...

Open Happening

Miasma software supply chain campaign expands to new PyPI wave

Campaign
H score29 First: 09.06.2026 19:34 Last: 09.06.2026 19:34 Sources 1

About this happening: The **Miasma** supply-chain campaign has expanded into a new **PyPI** wave, increasing the risk that developers and downstream users will ingest **information-stealing malware** t...

Open Happening

JINX-0164 cryptocurrency recruitment-lure campaign

Campaign
H score39 First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

About this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
H score33 First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX

Malware Activity
H score42 First: 17.03.2026 23:42 Last: 17.03.2026 23:42 Sources 1

About this happening: **GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...

Latest development: 28.04.2026 00:41

GlassWorm returned in an OpenVSX supply-chain wave with 73 cloned sleeper extensions that were benign at upload and later turned malicious after an update, with six already activated to deliver malware. The extensions act as thin loaders that fetch payloads through GitHub-hosted secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript, shifting the campaign toward submitting innocuous extensions first and introducing the malicious payload later.

Open Happening

Timeline

  1. 17.06.2026 10:38 2 articles · 2h ago

    Mastra @mastra/* npm packages hit by network compromise

    Initial Disclosure

    A hijacked **ehindero** contributor account mass-published malicious releases across the **Mastra** npm scope on **2026-06-17**. The compromise spread through a dependency on **easy-day-js**, which was inserted into affected package manifests.

    Show sources
    Open in new tab