140+ npm Packages Compromised in Coordinated Supply Chain Attack

Description

More than 140 Mastra npm packages were compromised through a supply chain attack that injected a typosquatted dependency called easy-day-js. A single npm account published malicious versions within a short timeframe, affecting packages including @mastra/core with over 918K weekly downloads. The attack executes during npm install via a postinstall hook, deploying a two-stage payload. The first stage disables TLS validation and downloads a second-stage implant that installs cross-platform persistence on Windows, macOS, and Linux. This implant functions as a command-and-control client that steals cryptocurrency wallet inventories from 166+ browser extensions, harvests browser history, and can execute arbitrary code sent by operators. The malicious code executes before developers import packages, compromising systems during installation.