Embedded Malicious Code Affecting @mastra/express package, versions =1.3.31
Threat Intelligence
Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-MASTRAEXPRESS-17353225
- published17 Jun 2026
- disclosed16 Jun 2026
- creditUnknown
Introduced: 16 Jun 2026
New Malicious CVE NOT AVAILABLE CWE-506 (opens in a new tab)How to fix?
Avoid using all malicious instances of the @mastra/express package.
Overview
Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was left untouched. The only change was a single new dependency added to each package: easy-day-js, a typosquat of the popular dayjs date library. A day earlier, a related account (sergey2016) published a clean decoy, easy-day-js@1.11.21; the weaponized 1.11.22 landed at 01:01 UTC, eleven minutes before the Mastra sweep began. Because packages depended on ^1.11.21, installs resolve to the malicious 1.11.22. Its postinstall hook disables TLS verification, downloads a second stage from 23.254.164.92, runs it as a detached background process, then deletes itself. The recovered payload is a cross-platform infostealer targeting browser data and 160+ crypto-wallet extensions.