140+ Mastra npm Packages Compromised in Coordinated Supply Chain Attack

What Happened

Attackers compromised over 140 software packages belonging to the Mastra project on the npm registry. Developers and automated build systems that installed these packages were infected with malware that runs automatically during the installation process. This malware steals browser history, looks for cryptocurrency wallets, and allows attackers to take full control of the infected machine. Organizations using Mastra packages should immediately check their systems, remove the malicious versions, and rotate any exposed passwords or security keys.

Key Takeaways

• Over 140 Mastra npm packages were compromised via an injected typosquatted dependency named easy-day-js.
• The malicious payload executes automatically during npm install via a postinstall hook, before any code is imported.
• Stage 1 disables TLS validation and downloads a cross-platform Node.js tasking client.
• Stage 2 establishes persistence across Windows, macOS, and Linux using a Node/NVM masquerade.
• The malware inventories cryptocurrency wallets, steals browser history, and allows arbitrary follow-on code execution from the C2.

Affected Systems

• Windows
• macOS
• Linux
• CI/CD Runners
• Developer Workstations

Attack Chain

The attack begins when a developer or CI/CD pipeline installs a compromised @mastra/* npm package. This triggers the installation of a typosquatted dependency, easy-day-js, which executes an obfuscated loader (setup.cjs) via a postinstall hook. The loader disables TLS validation, beacons to a C2 server, and downloads a Stage 2 Node.js payload (protocal.cjs) which is executed as a detached process. The Stage 2 payload establishes persistence across Windows, macOS, or Linux using Node/NVM masquerading, inventories cryptocurrency wallets, steals browser history, and awaits further arbitrary commands from the C2 server.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules, but outlines behavioral indicators, file paths, and network IOCs for hunting.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions should easily detect the creation of persistence mechanisms (Run keys, LaunchAgents, systemd services) and anomalous detached child processes spawned by Node.js during package installation. Network Visibility: Medium — Network visibility depends on SSL inspection, as the C2 traffic is over HTTPS. However, the custom ICAP-style protocol and hardcoded User-Agent provide strong network hunting opportunities if headers are visible. Detection Difficulty: Moderate — While the initial execution blends in with normal npm install behavior, the subsequent persistence mechanisms and detached Node.js processes are highly anomalous and detectable.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon Event ID 1)
• File Creation (Sysmon Event ID 11)
• Registry Modifications (Sysmon Event ID 12/13/14)
• Network Connections (Sysmon Event ID 3)

Hunting Hypotheses

Control Gaps

• Lack of egress filtering on CI/CD runners
• Execution of npm lifecycle scripts by default

Key Behavioral Indicators

• Node.js process setting NODE_TLS_REJECT_UNAUTHORIZED=0
• Creation of .pkg_history or .pkg_logs in temp directories
• Custom ICAP-style HTTP POST requests with headers like reqmod, PrimaryUrl, SecondaryUrl

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Identify and isolate any developer workstations or CI/CD runners that installed the compromised @mastra/* packages or the easy-day-js dependency.
• Remove the malicious packages, delete node_modules, and clear local/CI package caches.
• Rotate any credentials, tokens, or SSH/Git keys that were present in the environment during the installation of the compromised packages.

Infrastructure Hardening

• Consider running npm installs with lifecycle scripts disabled by default (npm install --ignore-scripts).
• Evaluate implementing network egress controls on CI/CD runners and developer build environments to block outbound connections to raw IP literals.
• Consider enforcing dependency allowlisting and package cooldown periods to delay the adoption of newly published package versions.

User Protection

• If applicable, migrate funds from cryptocurrency wallets present on affected machines to new wallets generated from a fresh seed phrase on a clean device.
• Consider hunting for and removing the specific persistence artifacts (NvmProtocal Run key, com.nvm.protocal LaunchAgent, nvmconf.service) on affected endpoints.

Security Awareness

• Educate developers on the risks of typosquatting and the dangers of automatic script execution during package installation.

MITRE ATT&CK Mapping

• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
• T1059.007 - Command and Scripting Interpreter: JavaScript
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
• T1543.001 - Create or Modify System Process: Launch Agent
• T1543.002 - Create or Modify System Process: Systemd Service
• T1003 - OS Credential Dumping
• T1562.001 - Impair Defenses: Disable or Modify Tools
• T1036.005 - Masquerading: Match Legitimate Name or Location

Additional IOCs

• Ips:
  • 23[.]254[.]164[.]92 - Stage 1 C2 IP address.
  • 23[.]254[.]164[.]123 - Stage 2 C2 IP address.
• Domains:
  • hwsrv-1327786[.]hostwindsdns[.]com - Domain associated with attacker infrastructure.
  • hwsrv-1327785[.]hostwindsdns[.]com - Domain associated with attacker infrastructure.
• File Hashes:
  • c38954e85bf5433e61e7c8f4230336695624ae88b6953afabf7bf817aa91b638 (sha256) - Hash of [email protected] package.json.
  • cdec8b20338beb708b5be8d3d7a3041a35a8b0fb92f9186262f312d55ff82066 (sha256) - Hash of a loader variant.
  • 9570f77a5e1511869f4e554e7166df9fde081f2583e293c2569621792ed7d9c9 (sha256) - Hash of a loader variant.
• Registry Keys:
  • HKCU\...\CurrentVersion\Run - Windows persistence mechanism using the value name 'NvmProtocal'.
• File Paths:
  • C:\ProgramData\NodePackages\protocal.cjs - Windows drop path for the Stage 2 payload.
  • C:\ProgramData\NodePackages\config.json - Windows drop path for the Stage 2 configuration.
  • ~/Library/LaunchAgents/com.nvm.protocal.plist - macOS persistence LaunchAgent.
  • ~/Library/NodePackages/protocal.cjs - macOS drop path for the Stage 2 payload.
  • ~/.config/systemd/user/nvmconf.service - Linux persistence systemd user unit.
  • ~/.config/systemd/nvmconf/protocal.cjs - Linux drop path for the Stage 2 payload.
  • ~/.config/NodePackages/config.json - Linux drop path for the Stage 2 configuration.
• Command Lines:
  • Purpose: Executes the obfuscated loader during the npm postinstall phase. | Tools: node, npm | Stage: Execution | node setup.cjs --no-warnings
• Other:
  • NvmProtocal - Windows Run-key value name.
  • com.nvm.protocal - macOS LaunchAgent label.
  • nvmconf.service - Linux systemd unit name.
  • mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0) - Hardcoded spoofed User-Agent used for C2 communication.