TL;DR: On June 17, 2026, an attacker hijacked the Mastra npm organization and pushed 144 packages across the popular open-source AI agent framework with easy-day-js - a dayjs typosquat - silently added as a dependency. Per StepSecurity's reporting, the dependency's postinstall script downloaded a cross-platform information stealer that harvested browser data, crypto wallets, and credentials on Windows, macOS, and Linux. Weekly downloads of the affected packages exceed 1.1 million. NC small businesses experimenting with AI agent builders need an npm dependency audit and a lockfile policy this week.
Key takeaway: AI tooling is a supply-chain attack surface. NC SMBs building or integrating with open-source AI frameworks should treat
npm installon a developer workstation the same way they treat opening an unknown attachment - never on a privileged machine, never without a lockfile, never without a postinstall review.
Need to verify your developer workstations are clean? Preferred Data Corporation has supported NC small businesses since 1987 and can audit your build pipeline this week. Call (336) 886-3282 or request an AI supply chain audit.
What happened in the Mastra npm supply chain attack?
On June 17, 2026, an attacker used a hijacked npm contributor account ("ehindero") to publish 144 packages across the @mastra/* scope with a typosquat dependency called easy-day-js quietly added to each package's production dependencies field. Per The Hacker News reporting, the entire republish campaign ran in 88 minutes - well below the time it takes most SMBs to even read a security advisory.
The technique was a two-stage decoy. Per Phoenix Security's analysis, npm user sergey2016 first published [email protected] on June 16 at 07:05 UTC as a clean, fully functional copy of the legitimate dayjs library. Eleven minutes after that, the attacker uploaded a malicious 1.11.22 and used the hijacked Mastra credentials to mass-publish updates that pinned to "easy-day-js": "^1.11.21". The caret means npm always resolves to the latest matching version at install - so every fresh npm install after that pulled the malicious one.
The payload was a cross-platform information stealer. Per Sonatype's writeup, once installed it harvested browser data, cryptocurrency wallet contents, saved credentials, and established persistence on Windows, macOS, and Linux before exfiltrating to attacker-controlled infrastructure. The postinstall script then deleted itself to remove forensic evidence.
Why is the Mastra attack a small business problem, not just a developer problem?
Because Mastra is an AI agent framework, the developer workstations that pulled the malicious package are not in big-tech research labs - they are inside NC SMBs trying to add a chatbot, an agent, or an automation to their business. Per SC Media coverage, the combined weekly download count of the affected packages exceeds 1.1 million, and the flagship @mastra/core alone runs at roughly 918,000 weekly downloads.
That number translates to thousands of SMB developer machines that touched the compromised packages between June 16 and June 17 - and the info stealer ran with the credentials of every developer who did. Per OX Security's writeup, the stealer targets browser session cookies (which bypass MFA), saved password vaults, SSH keys, cloud credentials, and crypto wallet seed phrases - the exact data an attacker needs to pivot from a single developer laptop into the SMB's production cloud, source code, and customer data.
Quotable definition: An npm typosquat-and-pin attack is a supply chain compromise in which an attacker (1) registers a package with a name confusingly similar to a popular library, (2) gets it added as a dependency on a legitimate scope via a hijacked publisher account, and (3) uploads a malicious payload after the dependency is pinned, ensuring every fresh install pulls the malicious version.
How does this differ from prior npm supply chain attacks?
Three things make the Mastra incident distinct from earlier npm supply chain attacks NC SMBs have absorbed in 2026. Per Orca Security's analysis and our prior coverage of similar incidents:
| Attack vector | Direct package compromise | Mastra easy-day-js (June 17, 2026) |
|---|---|---|
| Who gets the malicious code | Anyone updating the named package | Anyone installing any of 144 Mastra packages |
| What gets compromised | Source package itself | A pinned dependency one level deep |
| Detection difficulty | Moderate - version change visible | Hard - parent package version unchanged |
| AI builder exposure | Limited | Maximum - AI framework is the target scope |
| Reverse-shell vs info stealer | Mixed | Cross-platform info stealer with persistence |
| Window of exposure | Hours to days | At least 88 minutes of mass publishing |
The detection difficulty matters. When a developer runs npm install @mastra/core and the parent package's version did not change, the developer has no visible cue that a new transitive dependency was injected. The malicious code arrives quietly in a typosquat library nobody asked for.
Which NC small businesses are most exposed to AI-framework supply chain attacks?
NC SMBs that have started building or integrating AI agents, copilots, or workflow automations using open-source frameworks - and NC SMBs whose engineers and IT staff run npm install on their everyday work laptop instead of on an isolated build VM. Per the Open Source Security Foundation (OpenSSF), the SMB segment is the dominant npm consumer base by user count, and SMB developer hygiene lags enterprise practice by years.
Highest-exposure NC SMB profiles:
- NC manufacturers in High Point, Winston-Salem, and Greensboro integrating AI agents into ERP, MES, or quoting workflows. A single compromised developer laptop is a foothold into the production ERP cloud, vendor contracts, and customer pricing data. See our AI transformation services page for governance.
- NC professional services firms in Charlotte and Raleigh using AI agents to summarize client documents. The info stealer harvests browser sessions to cloud document stores and email - the exact channel where privileged client communications live.
- NC distributors in Greensboro and Charlotte using AI agents in customer-service or order-entry automations. A persistent credential theft from the developer laptop can be reused months later to pivot into the production CRM or order system.
- NC SMBs whose IT staff or MSP runs npm-based builds on a privileged admin workstation. Per GitHub's Octoverse analysis, npm builds on privileged machines are the most common bridge from open-source compromise to admin credential theft.
- NC CMMC-scoped firms. Per DFARS 252.204-7012, credential theft from a developer machine with access to controlled unclassified information (CUI) is a reportable cyber incident under the 72-hour rule.
Worried that an AI builder install last week leaked your credentials? Call (336) 886-3282 or request a developer workstation audit.
What should NC small businesses do in the next 14 days?
Run a five-step plan. None of these require new product purchases. They use tooling NC SMBs already have through GitHub, npm, and their cloud IdP.
- Inventory every
@mastra/*install across the org (days 1-3). Per StepSecurity's IOC list, search every developer laptop, build runner, and CI runner fornode_modules/easy-day-jsandnode_modules/@mastra/*directories. Search package lockfiles (package-lock.json,pnpm-lock.yaml,yarn.lock) foreasy-day-js. Where present after June 16, 2026, treat the workstation as compromised. - Force credential rotation on every affected developer (days 2-5). Rotate browser session cookies, npm tokens, GitHub PATs, cloud access keys, SSH keys, and crypto wallet seed phrases - in that order. Per the Mastra security advisory, browser session theft is the first credential class the stealer harvests and the hardest to detect after the fact.
- Enforce a lockfile policy and pinned-major dependency caret discipline (days 3-7). Per npm's docs, commit lockfiles to source control, use
npm ci(notnpm install) in CI, and configure dependabot or renovate to alert on transitive dependency changes. The lockfile is the SMB's single highest-leverage npm control. - Move npm installs off privileged workstations (days 7-10). Run all
npm installandnpm cioperations inside an isolated dev container, VM, or hosted CI runner with no production credentials and no browser session sharing. Reference our Managed IT services page for hardened workstation baselines. - Adopt OpenSSF Scorecard checks on AI-framework dependencies (day 14 forward). Per OpenSSF Scorecard, automated checks can flag missing 2FA on maintainer accounts, weak release signing, and stale typosquat-prone projects before the next compromise. Put the scorecard on the quarterly compliance calendar.
Key takeaway: The single most underrated SMB control in this incident is the lockfile. NC SMBs that commit lockfiles and run
npm ciin CI never resolvedeasy-day-jsat all - the malicious version landed only on machines that ran a freshnpm installbetween June 16 and June 17.
How does Preferred Data Corporation help NC SMBs harden the AI supply chain?
PDC has supported NC small businesses since 1987 and treats AI tooling adoption as a supply-chain governance problem first, a productivity problem second. We bring three things to the Mastra conversation:
- Cybersecurity services: Developer workstation audits, npm and PyPI dependency reviews, lockfile policy adoption, OpenSSF Scorecard integration, and incident-response runbooks for suspected supply chain compromise. We help NC SMBs treat the build pipeline as a tier-one asset.
- Managed IT services: Hardened developer workstation baselines, isolated build environments, conditional access policies that block npm installs from privileged sessions, and the day-to-day operational work that keeps the next typosquat from owning the laptop that owns the cloud. For NC manufacturers in High Point, distributors in Greensboro, and professional services firms in Charlotte and Raleigh, the managed baseline is what makes a Mastra-class event a same-day cleanup rather than a multi-month credential-theft incident.
- AI transformation services: Vendor-vetted AI framework choices, governance policies for AI builder adoption, and the security-first integration patterns that let NC SMBs ship AI features without inheriting the open-source supply chain risk. The right time to write the AI governance policy is before the first
npm install, not after.
For small business owners in High Point, the Piedmont Triad, Greensboro, Winston-Salem, Charlotte, and Raleigh, the Mastra disclosure is the cue to formalize an AI-builder governance policy. The CISA SMB resources frame this clearly: SMBs face enterprise-grade exposure with a fraction of the staff. A trusted local partner closes the gap.
Ready to audit every AI builder dependency in your org this week? Call (336) 886-3282 or book an AI supply chain audit.
Frequently Asked Questions
What is the Mastra npm supply chain attack?
Per The Hacker News, on June 17, 2026 an attacker hijacked the @mastra npm organization and published 144 packages with easy-day-js - a dayjs typosquat - injected as a dependency. The dependency's postinstall script downloaded a cross-platform information stealer targeting browser data, credentials, and crypto wallets on Windows, macOS, and Linux.
Is my NC small business affected?
If any developer, IT staff member, or MSP technician ran npm install on any @mastra/* package between June 16 and June 17, 2026 - on any machine - treat that machine as potentially compromised and rotate credentials immediately. The IOC to search for is the presence of easy-day-js in node_modules or any lockfile.
Does my regular AV catch this?
Not reliably. Per Sonatype's writeup, the postinstall payload was obfuscated and the self-delete behavior removed the binary after execution. Traditional AV signatures lag a same-day-disclosed campaign by hours or days. EDR with behavior detection on node child processes is more effective, but most SMB endpoints do not have it tuned.
Do lockfiles stop this attack?
Yes, for builds that use npm ci against a committed lockfile generated before June 16, 2026. Lockfiles pin transitive dependencies, so a malicious [email protected] published after lockfile generation will not be installed. This is the single highest-leverage control NC SMBs can adopt this week.
What credentials do I rotate?
In this order: browser session cookies (sign out everywhere on every browser), npm tokens, GitHub personal access tokens, cloud access keys (AWS, Azure, GCP), SSH keys, saved passwords in the browser password manager, and crypto wallet seed phrases. Per the Mastra security advisory, session cookies are the first thing the stealer harvests.
How often should NC SMBs audit AI framework dependencies?
At a minimum, every time a new AI framework or major version is adopted. Better: continuous, via OpenSSF Scorecard or a managed SCA tool. The Mastra incident is the third major AI-framework supply chain compromise in 2026 - the pattern is the norm now, not the exception.
Related Resources
- Cybersecurity Services for NC Small Businesses - Developer workstation audits and supply chain hardening
- Managed IT Services for NC Businesses - Hardened build pipelines and conditional access
- AI Transformation Services - Governance-first AI adoption
- Mini Shai-Hulud npm Supply Chain Attack: NC SMB Defense 2026 - Prior npm worm incident
- NPM Supply Chain Attacks: Business Software Defense NC 2026 - General npm hygiene
- MSP Supply Chain Attacks H2 2026 Forecast NC SMB - MSP-side supply chain risk
- Contact Preferred Data Corporation - AI supply chain audit for NC SMBs