Malware Security Bloggers Network 
SBN

easy-day-js Targets Mastra, Dependency Attacks Grow

by Sonatype Security Research Team on June 17, 2026
Image with text at center "sonatype-2026-003926, Mastra AI framework compromise"

TL;DR

  • On June 17, 2026, security researchers identified a software supply chain attack involving the npm package easy-day-js, a malicious package designed to impersonate the popular JavaScript date library dayjs. Sonatype is tracking this campaign as sonatype-2026-003926.

  • Attackers compromised part of the Mastra AI framework and added easy-day-js as a dependency across a large number of Mastra packages. Once installed, the package used a postinstall script to attempt to download and run a second-stage payload from attacker-controlled infrastructure.

  • This is not a “remove the package and move on” incident. If easy-day-js was installed in a developer workstation, CI runner, build agent, or production-adjacent environment, the host should be treated as compromised until investigated.

  • This campaign also extends a pattern Sonatype researchers tracked in the Axios compromise and Atomic Arch campaign. Attackers are not only publishing malicious packages. They are hijacking trusted packages and using malicious dependencies as the delivery mechanism.

Attackers compromised part of the Mastra npm publishing workflow and used that access to add easy-day-js as a dependency across affected Mastra packages.

The malicious code did not live directly in the Mastra package source but inside the dependency those packages were updated to install.

Sonatype is tracking this trend. In the Axios compromise, attackers introduced a hidden malicious dependency into a trusted npm package. In Atomic Arch, attackers took over orphaned Arch User Repository (AUR) packages and modified build instructions to install a malicious npm dependency.

In the Mastra campaign, attackers again used an otherwise trusted ecosystem to pull in a dependency that carried the payload.

How Did the easy-day-js Dependency Attack Work?

The easy-day-js attack worked by adding a malicious dependency to compromised Mastra packages, causing installs of those packages to also install and execute easy-day-js.

The sequence worked like this:

*** This is a Security Bloggers Network syndicated blog from 2024 Sonatype Blog authored by Sonatype Security Research Team. Read the original post at: https://www.sonatype.com/blog/easy-day-js-targets-mastra-dependency-attacks-grow

Sonatype Security Research Team 0 Comments , , , , , ,