Mastra

supply-chain 2026-06-17 Critical
Mastra npm Scope Hijacked: 144 AI-Framework Packages Backdoored with the easy-day-js Stealer
An attacker hijacked a former contributor's npm account to republish ~144 @mastra packages — including @mastra/core (918K weekly downloads) — each pulling in easy-day-js, a dayjs typosquat that drops a cross-platform crypto/infostealer at install time.
npm supply-chain mastra easy-day-js infostealer ai-tooling javascript nodejs north-korea

Mastra npm Scope Hijacked: 144 AI-Framework Packages Backdoored with the easy-day-js Stealer