Mastra npm Supply Chain Attack: What IT Teams Need to Know

Introduction

Microsoft has published new research on a major npm supply chain compromise affecting the Mastra package ecosystem. This incident matters to security teams, developers, and administrators because the malicious code ran during npm install, meaning exposure could occur on developer endpoints and build pipelines without the package ever being imported by an application.

What happened

Microsoft Threat Intelligence found that an attacker compromised the ehindero npm maintainer account, which had publish rights across the @mastra scope. Using that access, the attacker published poisoned versions of more than 140 packages.

The malicious packages introduced a dependency on easy-day-js, a typosquatted package impersonating the legitimate dayjs library.

Key attack details

• The attacker first published a clean bait version of easy-day-js.
• A second version later added a postinstall hook that ran automatically during package installation.
• The dropper used obfuscation, disabled TLS certificate verification, and contacted attacker-controlled infrastructure.
• A second-stage payload was downloaded and launched as a hidden detached Node.js process.
• All compromised package versions were tagged as latest, increasing the chance that npm install or npm update would pull them automatically.

Why this matters for IT administrators

This was not just a developer issue. Any developer workstation, build server, or CI/CD pipeline that installed the compromised versions may have been exposed.

Potential impact includes:

• Theft of developer credentials and access tokens
• Exposure of build environments and secrets
• Risk to downstream software integrity
• Hidden malicious execution during automated package installation

Because the payload executed at install time, organizations may have been affected even if the package was never referenced in production code.

Microsoft protection and detections

Microsoft says Defender Antivirus, Defender for Endpoint, and Defender XDR provide detection coverage for suspicious Node.js activity, malicious package behavior, persistence, reflective code loading, and command-and-control traffic. The company also shared findings with the npm security team, and the compromised packages were removed.

Recommended next steps

Administrators and security teams should:

• Review whether any systems ran npm install or npm update against affected Mastra packages
• Investigate developer endpoints and CI/CD runners for suspicious Node.js execution
• Hunt for indicators linked to easy-day-js and unexpected postinstall activity
• Rotate tokens, credentials, and secrets that may have been accessible from build environments
• Confirm package integrity and lock down npm publishing with stronger account protections

This incident is another reminder that software supply chain attacks increasingly target package managers and automated build workflows, making visibility across developer tools and endpoints essential.