Mastra npm packages compromised in ‘easy-day-js’ supply chain attack

As many as 144 npm packages associated with the Mastra namespace have been compromised as part of a software supply chain attack named easy-day-js. The attack targeted popular open-source JavaScript and TypeScript framework packages used for building artificial intelligence applications. This incident was uncovered through findings from JFrog, SafeDep, Socket, and StepSecurity, as reported by The Hacker News.

The attack involved the compromise of an npm account, which then mass-published over 140 malicious packages under the Mastra scope. The malicious code was not directly in the Mastra packages but was introduced via a third-party dependency named "easy-day-js." This library, initially published as clean, was later updated with malicious changes. The "easy-day-js" package executes an obfuscated payload during the postinstall hook, which acts as a dropper for a second-stage payload. This payload retrieves further malicious code from attacker-controlled infrastructure after disabling TLS certificate validation. The final payload is a cross-platform information stealer capable of harvesting browser data, cryptocurrency wallet information, and establishing persistence across Windows, macOS, and Linux systems before exfiltrating the data.

The attackers reportedly hijacked a legitimate former Mastra contributor's account. NPM has since removed the malicious versions. Any system that installed the affected packages should be considered potentially compromised, and users are advised to roll back to safe versions, rotate credentials, and audit hosts.

Source: The Hacker News