Date: 06/19/2026
Severity: High
Summary
Analysis of the Mastra npm supply chain compromise revealed that attackers abused a trusted package ecosystem by introducing a malicious postinstall payload through a typosquatted dependency named easy-day-js. The malware was automatically executed during package installation, downloaded a second-stage payload, and attempted to hide its tracks through obfuscation and self-deletion. The attack impacted 140+ @mastra npm packages, exposing developers and CI/CD environments to potential compromise. The final payload deployed a stealer, targeting API tokens, developer secrets, and credentials.
Indicators of Compromise (IOC) List
Domain/URL: | https://23.254.164.92:8000/update/49890878 |
IPAddress: | 23.254.164.92 23.254.164.123 |
Hash: | B122A9873BEDF145AE2A7FD024B5F309007DBB025149F4DC4AC3F7E4F32A36A4
AE70DD4F6BC0D1C8C2848E4E6B51934626C4818DCB5AF99D080DDBD7DC337185
B73DE25C053C3225A077738A1FCBD9CA6966D7B3CD6F5494A30F0AA0EAE55C7E
221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badf
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "https://23.254.164.92:8000/update/49890878" or url like "https://23.254.164.92:8000/update/49890878" or siteurl like "https://23.254.164.92:8000/update/49890878" |
Detection Query 2 : | dstipaddress IN ("23.254.164.123","23.254.164.92") or srcipaddress IN ("23.254.164.123","23.254.164.92") |
Detection Query 3 : | sha256hash IN ("B73DE25C053C3225A077738A1FCBD9CA6966D7B3CD6F5494A30F0AA0EAE55C7E","AE70DD4F6BC0D1C8C2848E4E6B51934626C4818DCB5AF99D080DDBD7DC337185","B122A9873BEDF145AE2A7FD024B5F309007DBB025149F4DC4AC3F7E4F32A36A4","221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badf")
|
Reference:
https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/