Embedded Malicious Code Affecting mastra package, versions =1.13.1
Threat Intelligence
Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-MASTRA-17353312
- published17 Jun 2026
- disclosed16 Jun 2026
- creditUnknown
Introduced: 16 Jun 2026
New Malicious CVE NOT AVAILABLE CWE-506 (opens in a new tab)How to fix?
Avoid using all malicious instances of the mastra package.
Overview
Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was left untouched. The only change was a single new dependency added to each package: easy-day-js, a typosquat of the popular dayjs date library. A day earlier, a related account (sergey2016) published a clean decoy, easy-day-js@1.11.21; the weaponized 1.11.22 landed at 01:01 UTC, eleven minutes before the Mastra sweep began. Because packages depended on ^1.11.21, installs resolve to the malicious 1.11.22. Its postinstall hook disables TLS verification, downloads a second stage from 23.254.164.92, runs it as a detached background process, then deletes itself. The recovered payload is a cross-platform infostealer targeting browser data and 160+ crypto-wallet extensions.