Socket uncovered a malicious npm supply chain campaign in which compromised @mastra/* packages were modified to pull in the typosquatted easy-day-js dependency, triggering a postinstall loader that downloaded a second-stage implant. The payload disabled TLS validation, persisted across Windows, macOS, and Linux, and stole browser history plus data from more than 160 cryptocurrency wallet browser extensions while exfiltrating to attacker infrastructure. #Mastra #easy-day-js #ehindero #sergey2016 #protocal.cjs
Keypoints
- Socket detected a malicious npm campaign affecting compromised @mastra/* packages published on 2026-06-17 by the npm account ehindero.
- The malicious packages were byte-for-byte identical to legitimate releases except for a new dependency on easy-day-js.
- easy-day-js version 1.11.22 executed a postinstall hook that automatically ran during npm install.
- The first-stage loader disabled TLS certificate validation, fetched a second-stage payload, executed it detached, and then deleted itself.
- The second stage persisted on Windows, macOS, and Linux, collected browser history, inventoried more than 160 wallet extensions, and provided operator tasking capability.
- @mastra/core was specifically highlighted as a high-risk package because it receives more than 918K weekly npm downloads, increasing the campaignâs blast radius.
- Socket flagged the malicious dependency within minutes of publication and blocked installs for Socket customers before the install hook could run.
MITRE Techniques
- [T1195.002] Compromise Software Supply Chain â The attacker compromised published npm packages and delivered malware through a transitive dependency (âmalicious npm supply chain campaign involving compromised @mastra/* packagesâ and âpulled in that dependency, so npm install ⌠runs setup.cjs automaticallyâ).
- [T1059.007] JavaScript â The payloads were implemented as Node.js/JavaScript scripts and executed by npm lifecycle hooks (ânode setup.cjsâ and âcross-platform Node.js tasking clientâ).
- [T1068] Exploitation for Privilege Escalation â Not explicitly mentioned as privilege escalation; not applicable.
- [T1105] Ingress Tool Transfer â The loader downloaded a second-stage payload from attacker-controlled infrastructure (âfetch(url)â and âpull stage 2â).
- [T1573.001] Encrypted Channel â The loader and implant communicated over HTTPS/TLS to attacker infrastructure (âfetch the second-stage payload from attacker-controlled infrastructure over TLSâ and âsends ⌠over HTTPS POSTâ).
- [T1041] Exfiltration Over C2 Channel â Collected data was sent back to attacker servers through the implantâs tasking/exfiltration channel (âCollected data is exfiltrated to the operatorsâ command-and-control hostâ).
- [T1053.003] Cron â Not explicitly used; Linux persistence was via systemd user service, not cron.
- [T1547.001] Registry Run Keys / Startup Folder â Windows persistence was established via a Run key (âWindows Run value NvmProtocalâ).
- [T1543.002] Systemd Service â Linux persistence used a systemd user unit (ânvmconf.serviceâ and âExecStart=âŚprotocal.cjsâ).
- [T1547.013] PowerShell Profile â Not mentioned in the article; not applicable.
- [T1547.007] Launch Agent â macOS persistence used a LaunchAgent (âmacOS LaunchAgent label com.nvm.protocalâ).
- [T1027] Obfuscated Files or Information â The loader was obfuscated with obfuscator.io (âobfuscated with obfuscator.ioâ).
- [T1112] Modify Registry â The Windows Run key was written for persistence (âWindows Run value NvmProtocalâ).
- [T1562.013] Disable or Modify System Firewall â Not mentioned; no firewall modification described.
- [T1057] Process Discovery â The implant collected running processes (âinstalled applications, and running processesâ).
- [T1082] System Information Discovery â The implant collected hostname, architecture, platform, and user ID (âhostname, architecture, platform, user IDâ).
- [T1217] Browser Session Cookie â Not directly recovered; the article says browser history was collected, not cookies.
- [T1217 / T1213] Data from Local System â The implant copied browser History databases from Chrome, Edge, and Brave (âcopies each profileâs History databaseâ).
- [T1119] Automated Collection â The implant automatically inventoried wallet extensions and browser history during its tasking loop (âcarries a hardcoded list of 166 wallet browser-extension IDsâ and âcopies each profileâs History databaseâ).
- [T1021] Remote Services â Not explicitly used for lateral movement; the article does not describe remote service abuse.
- [T1070.004] File Deletion â The loader self-deleted to reduce traces (âfs.rmSync(__filename, { force: true }); // self-deleteâ).
- [T1090] Proxy â Not mentioned; no proxy behavior described.
- [T1102] Web Service â The implant used web-based HTTPS endpoints for tasking and exfiltration (âbeacons to the operatorâ and âover HTTPS POSTâ).
Indicators of Compromise
- [IP address / HTTPS endpoint] C2 and download infrastructure â 23.254.164.92, 23.254.164.123:443
- [Domain / hostnames] Attacker-hosted infrastructure â hwsrv-1327786.hostwindsdns.com, hwsrv-1327785.hostwindsdns.com
- [URL path] Loader download and bot path â /update/49890878, /49890878
- [File names] Dropped and loaded components â setup.cjs, protocal.cjs
- [Persistence names] Cross-platform persistence artifacts â NvmProtocal, com.nvm.protocal, nvmconf.service, NodePackages
- [Temporary artifacts] Loader markers and staging files â .pkg_history, .pkg_logs, browser-hist-*
- [SHA-256 hashes] Known malicious files â b122a9873bedf145ae2a7fd024b5f309007dbb025149f4dc4ac3f7e4f32a36a4, cdec8b20338beb708b5be8d3d7a3041a35a8b0fb92f9186262f312d55ff82066, and 3 more hashes
- [Package names / versions] Malicious dependency and affected packages â [email protected], @mastra/core, and 140+ other @mastra/* packages
Read more: https://socket.dev/blog/mastra-npm-packages-compromised