easy-day-js

easy-day-js is a deliberate typosquat of the popular dayjs library, published the day prior by a separate account ( sergey2016 ).

On June 17, 2026, the npm account “ehindero” was hijacked to deliver malware targeting the @mastra organization on npm.

An attacker republished the entire @mastra npm scope on June 17, 2026, slipping a single malicious dependency into 142 packages... This attack on an npm package was made possible due to a former contributor account whose scope access was never revoked.

A sophisticated supply chain attack has targeted the Mastra-AI npm ecosystem... exploited a typosquatting dependency to deliver multi-stage malware... a single npm account identified as ehindero mass-published malicious versions of 141 @mastra/* packages... the only change was a single injected dependency in each manifest: "easy-day-js": "^1.11.21".

easy-day-js is a typosquat of the popular dayjs library, published the day before (2026-06-16) by a separate account, sergey2016.

a subsequent version introduced crypto-stealing logic inside a post-install script.

easy-day-js@1.11.22 ships a setup.cjs that runs as a postinstall hook.

Any npm install for a compromised @mastra/* package pulls easy-day-js@1.11.22, which runs a postinstall dropper, downloads a cross-platform RAT, installing persistent backdoors on macOS, Linux, and Windows.

The "easy-day-js" package launches an obfuscated payload that's fired during a postinstall hook, which acts as a dropper or loader for a second-stage payload retrieved from attacker-controlled infrastructure.

On June 17, 2026, the npm account “ehindero” was hijacked to deliver malware targeting the @mastra organization on npm.

Version 1.11.22, however, added a weaponized postinstall hook running node setup.cjs , executing the malicious payload automatically during npm install — before any developer imports or uses the package.

On June 17, 2026, the npm account “ehindero” was hijacked to deliver malware targeting the @mastra organization on npm.

Version 1.11.22, however, added a weaponized postinstall hook running node setup.cjs , executing the malicious payload automatically during npm install — before any developer imports or uses the package.

The "easy-day-js" package launches an obfuscated payload that's fired during a postinstall hook...

The attack leverages a typosquatting strategy; the injected dependency, easy-day-js@1.11.22, masquerades as the legitimate dayjs library.

Deletes itself to reduce forensic traces.

Next, it fetches a second-stage payload, runs it as a detached background process, and deletes itself to hide its tracks.

On June 17, 2026, the npm account “ehindero” was hijacked to deliver malware targeting the @mastra organization on npm.

Writes it to the temp directory and spawns it as a detached, hidden background process with no console output.

The "easy-day-js" package launches an obfuscated payload that's fired during a postinstall hook, which acts as a dropper or loader for a second-stage payload retrieved from attacker-controlled infrastructure.

The final stage is a cross-platform information stealer that can harvest browser history...

The recovered second stage is a powerful infostealer. Notably, it steals browser history and raids the stored data of over 160 cryptocurrency wallet extensions.

downloads and executes a second-stage payload from https://23.254.164.92:8000/update/49890878 ... The argument 23.254.164.123:443 passed as process.argv[2] is almost certainly the stage-2 beacon or command-and-control address.

Downloads a second-stage payload from https://23.254.164[.]92:8000/update/49890878 ... Writes it to the temp directory and spawns it as a detached, hidden background process.

Stolen data then flows out to the operators’ command-and-control servers.

Disables TLS certificate validation by setting NODE_TLS_REJECT_UNAUTHORIZED='0', so an HTTPS fetch succeeds against a self-signed certificate on a raw IP.