Nothing says good morning like finding out that 144 packages in a popular npm namespace were silently modified to steal cryptocurrency — and it all unfolded in an 88-minute window while most of the developer world was still getting coffee. Welcome to Tuesday, June 17, 2026.
Here is what happened: attackers hijacked a contributor account on the Mastra npm namespace and used their brief window of access to push malicious versions of over 140 packages. The attack was elegant in its subtlety. The compromised packages did not contain obviously malicious code — instead, they quietly added a dependency called "easy-day-js," a cryptocurrency-stealing clone of the entirely legitimate dayjs date utility library. To a developer doing a quick dependency scan, everything looks completely normal. The malice lives one level downstream, patiently waiting.
This is supply chain attack methodology at its most efficient: do not attack the software, attack the trust chain that delivers it. The Mastra ecosystem serves a growing number of developers building AI-native applications, making it a particularly high-value target at a moment when AI tooling adoption is accelerating fast. The attackers knew exactly which watering hole to poison.
The compromised packages have been flagged and the attack is documented. But if you ran npm install or updated Mastra packages today before the news broke, your environment deserves scrutiny. Run npm audit, inspect your lock files, and confirm whether "easy-day-js" has any business in your dependency tree (it does not). Supply chain security is rarely glamorous — but today it is urgent. The 88-minute attack window is closed; the cleanup window is open.
Source: The Hacker News