{"name":"EASY_DAY_JS_MASTRA_2026 - campaign","description":"# Executive Threat Brief — EASY_DAY_JS_MASTRA_2026\n\nOn June 17, 2026, an attacker compromised the @mastra npm organization and mass-published 144 malicious package versions across an 88-minute window. The payload was hidden inside easy-day-js — a typosquat of dayjs that copied the legitimate library's metadata wholesale. The second-stage payload is a cross-platform RAT targeting LLM API keys, cloud credentials, CI/CD secrets, and 166 cryptocurrency wallet extensions. Persistence survives package removal. Any environment that ran npm install against a Mastra package on 2026-06-17 must be treated as compromised.\n\nKey IOCs: easy-day-js@1.11.22 (dropper), C2 23[.]254[.]164[.]92 (stage-1), 23[.]254[.]164[.]123 (stage-2 RAT). Persistence: NvmProtocal (Windows), com.nvm.protocal.plist (macOS), nvmconf.service (Linux). No CVE assigned."}