Mastra npm packages compromised in 'easy-day-js' supply chain attack App Security

By exploiting npm’s install-time script execution, attackers gained the ability to harvest browser data from Chrome, Edge, and Brave, extract credentials from 166 cryptocurrency wallet extensions (including MetaMask, Phantom, Coinbase, and Binance), perform full host reconnaissance, establish cross-platform persistence, and exfiltrate all collected data to attacker infrastructure. A critical supply chain attack was disclosed affecting the entire @mastra/* npm scope, allowing attackers to deploy a cross-platform infostealer on any system that installed affected packages.

The Security Issue

The day before, the attacker published a clean easy-day-js@1.11.21 to establish credibility, then weaponized it as v1.11.22 minutes before the mass-publish.

Further details indicate that network IOCs to block include 23.254.164.92 and 23.254.164.123 (Hostwinds, ASN AS54290).

Because compromised packages pinned “^1.11.21”, npm’s semver resolution automatically pulled the malicious version.

The malicious dependency easy-day-js@1.11.22 is the direct vector.

Risk to Applications

A critical supply chain attack was disclosed affecting the entire @mastra/* npm scope, allowing attackers to deploy a cross-platform infostealer on any system that installed affected packages. Due to the potential for credential theft, cryptocurrency wallet compromise, and full system persistence, immediate remediation is required for all affected environments. No user interaction beyond running “npm install” is required for compromise.

Regardless of attribution, the severity and ease of exploitation make this incident high risk, especially for organizations with large JavaScript/TypeScript codebases and CI/CD pipelines that pull npm dependencies automatically.

Successful exploitation allows attackers to steal credentials and secrets, compromise cryptocurrency wallets, establish persistent access across all major operating systems, and execute arbitrary code remotely, leading to service disruption, data exposure, and potential full infrastructure compromise.

How Orca Can Help Orca enables customers to quickly identify assets running compromised @mastra/* package versions and detect the presence of the malicious easy-day-js dependency across cloud workloads, container images, and CI/CD pipelines.

Fix Recommendations

1. Network IOCs to block include 23.254.164.92 and 23.254.164.123 (Hostwinds, ASN AS54290).

2. How Orca Can Help Orca enables customers to quickly identify assets running compromised @mastra/* package versions and detect the presence of the malicious easy-day-js dependency across cloud workloads, container images, and CI/CD pipelines.

Analysis

As AI tooling proliferates, security teams face expanding attack surfaces tied to model inference and data pipelines.

Security teams should monitor vendor advisories and threat intelligence sources closely for additional context or updates. Organizations with mature security programs are advised to incorporate this intelligence into their regular risk assessments and prioritize response activities based on exposure and asset criticality. For environments where immediate remediation is not feasible, compensating controls such as network segmentation, enhanced monitoring, and access restrictions should be evaluated. Security leadership should communicate relevant details to operational teams and ensure that incident response capabilities are prepared if exploitation is observed in the wild.

Industry observers note that this type of development highlights the ongoing need for defense-in-depth strategies and proactive security posture management. Organizations that invest in regular security assessments and employee training tend to fare better when responding to emerging threats. The security community continues to share indicators and best practices to help defenders stay ahead.

Sources

1. https://www.scworld.com/brief/mastra-npm-packages-compromised-in-easy-day-js-supply-chain-attack
2. https://orca.security/resources/blog/mastra-npm-supply-chain-attack/