Mastra npm packages compromised in supply-chain attack
π‘οΈ Multiple npm packages under the @mastra/* namespace were mass-published with a malicious dependency on June 16β17, 2026, enabling a supply-chain campaign named easy-day-js. The injected library, easy-day-js, executes an obfuscated postinstall payload that downloads a second-stage trojan from attacker infrastructure and disables TLS validation. Victims should treat any systems that installed the affected versions as potentially compromised, roll back to safe releases, rotate secrets, and audit hosts for signs of the stealer.