Woofun AI reports that a coordinated supply-chain attack has compromised over 140 Mastra npm packages. The vulnerability exploited a dependency resolution flaw where the legitimate easy-day-js@^1.11.21 package was substituted with the malicious easy-day-js@1.11.22 version during installation. This substitution enabled the execution of attacker-controlled code upon package setup.

The malicious payload facilitated severe security breaches, including arbitrary code execution, establishment of persistence across Windows, macOS, and Linux systems, and the harvesting of browser history and cryptocurrency wallet extension data. Attackers also targeted credentials and CI keys, leading to potential data leaks. Affected systems must immediately remove the malicious easy-day-js versions, delete node_modules folders and package caches, and reinstall verified packages using validated lock files.

Furthermore, administrators should isolate affected hosts, preserve logs, eliminate persistent attack traces, and rotate all associated credentials for npm, GitHub, cloud services, SSH/Git, CI/CD tools, and cryptocurrency wallets.