Mastra npm Supply-Chain Compromise via easy-day-js Postinstall Payload

Summary

On 2026-06-17, Microsoft, StepSecurity, and Aikido Security reported a supply-chain compromise affecting Mastra npm packages, including unscoped mastra and create-mastra packages and packages published under the @mastra scope. The packages were modified to depend on easy-day-js, a package whose 1.11.22 release carried a malicious postinstall hook. Microsoft reported that 140+ packages were affected, and Aikido Security reported 141 packages. The combined affected packages accounted for more than 1.1 million weekly downloads. Microsoft stated that the compromised packages were removed and that publish access to @mastra was revoked.

Technical Analysis

The malicious code was delivered through easy-day-js. A clean 1.11.21 release was published first as a bait version, followed by a malicious 1.11.22 release containing a postinstall hook. When a package depending on the compromised release was installed, the hook executed automatically.

The postinstall payload acted as a dropper: it downloaded a second-stage payload from an external source and then deleted itself to reduce on-disk traces. Affected Mastra packages were altered to pull in the malicious easy-day-js release, propagating the payload to any environment that installed or updated those packages.

Attack Chain

1. A clean easy-day-js 1.11.21 release was published as a bait version.
2. A malicious easy-day-js 1.11.22 release was published with a postinstall hook.
3. Mastra packages, including unscoped packages and packages under the @mastra scope, were modified to depend on the malicious easy-day-js release.
4. Installation of an affected package triggered the postinstall hook.
5. The dropper downloaded a second-stage payload and deleted itself.

Impact Assessment

The affected packages represented more than 1.1 million weekly downloads, exposing a large set of developer and build environments to automatic payload execution during installation. Any environment that installed or updated an affected Mastra package, or pulled in the malicious easy-day-js release transitively, may have executed the dropper. Because the payload ran at install time and retrieved a second stage, the full scope of post-execution activity depends on what the second stage performed in each environment.

Attribution

The actor responsible for the compromise is unknown. Reporting from Microsoft, StepSecurity, and Aikido Security documented the technical mechanism and affected packages but did not attribute the activity to a named actor or group.

Timeline

2026-06-17 — Compromise reported

Microsoft, StepSecurity, and Aikido Security published reports describing the compromise of Mastra packages via the malicious easy-day-js release.

2026-06-17 — Removal and access revocation

Microsoft reported that the compromised packages were removed and that publish access to @mastra was revoked.

Remediation & Mitigation

• Identify whether any affected Mastra package, including mastra, create-mastra, packages under the @mastra scope, or easy-day-js 1.11.22, was installed or cached in build, CI, or developer environments.
• Remove the malicious easy-day-js 1.11.22 release and rebuild affected dependency trees from a known-good state.
• Inspect environments that ran the postinstall hook for evidence of second-stage activity and outbound network connections.
• Rotate credentials and tokens that were accessible in any environment where the payload executed.
• Pin dependencies and review lockfiles before reinstalling, and consider disabling install scripts in untrusted contexts.

Sources & References

• Microsoft Security Blog: Postinstall Payload Inside Mastra npm Supply-Chain Compromise — Microsoft Security Blog, 2026-06-17
• StepSecurity: Mastra npm Packages Compromised Using easy-day-js — StepSecurity, 2026-06-17
• Aikido Security: Over 140 Popular Mastra npm Packages Hit by Supply-Chain Attack — Aikido Security, 2026-06-17