criticalSupply chain·

AGS-2026-0006

Mastra supply chain poisoning attack

140+ official npm packages under the @mastra/* namespace have been compromised via a malicious dependency easy-day-js. Executing npm install automatically triggers a cross-platform infostealer and persistent backdoor.

Affected

  • namePattern
    @mastra/*
  • namePattern
    easy-day-js
    versionRange
    1.11.22
  • namePattern
    protocal.cjs
  • namePattern
    nvmconf.service
  • namePattern
    com.nvm.protocal.plist
  • namePattern
    NvmProtocal

Self-check

AgentGuard subscribers receive this advisory automatically and their local guard runs the inspection below.

Inspect paths

  • ~/.nvm/**/node_modules/
  • ~/.openclaw/**/node_modules/
  • ~/.config/NodePackages/
  • ~/Library/NodePackages/
  • ~/.npm/_npx/
  • ./Library/Caches/
  • /tmp/
  • C:\ProgramData\NodePackages\
  • C:\Users\*\AppData\Local\Temp\
  • *%LOCALAPPDATA%\npm-cache\_npx\

Remediation: uninstall1. Identify Local Dependency Contamination # Verify if the poisoned transitive package exists in your local environment tree npm ls easy-day-js # Audit lockfiles to check if your builds are fetching the compromised version grep -A1 '"easy-day-js"' package-lock.json yarn.lock pnpm-lock.yaml 2>/dev/null 2. Audit System-Level Persistence Components macOS Environment # Check for malicious LaunchAgents and matching drop scripts ls -la ~/Library/LaunchAgents/com.nvm.protocal.plist 2>/dev/null && echo "🚨 CRITICAL: Persistent LaunchAgent Found!" ls -la ~/Library/NodePackages/protocal.cjs 2>/dev/null && echo "🚨 CRITICAL: Malicious Script Found!" Linux Environment # Check for unauthorized systemd user units and core drops ls -la ~/.config/systemd/user/nvmconf.service 2>/dev/null && echo "🚨 CRITICAL: Malicious User Service Active!" ls -la ~/.config/systemd/nvmconf/protocal.cjs 2>/dev/null && echo "🚨 CRITICAL: Malicious Script Found!" Windows Environment (Run via cmd.exe / PowerShell) :: Verify if the node masquerading payload directory exists dir "C:\ProgramData\NodePackages\protocal.cjs" /b 2>nul && echo 🚨 CRITICAL: Windows Dropped Binary Found! :: Check the CurrentUser Startup Key for the persistence point reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NvmProtocal" 2>nul && echo 🚨 CRITICAL: Startup Registry Entry Found! 3. Evacuation and Eradication Protocol If a machine flashes any indicator above, isolate the machine network link immediately and step through these commands: Kill Active Subprocesses: Terminate any unreferenced background node processes pointing to random temp JavaScript strings or tracking protocal.cjs. Purge Persistence Layers: Windows: Clear the registry subkey item via reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NvmProtocal" /f and force delete the drop path C:\ProgramData\NodePackages\. macOS: Call launchctl unload ~/Library/LaunchAgents/com.nvm.protocal.plist, then completely wipe the .plist metadata and the corresponding ~/Library/NodePackages/ runtime folder. Linux: Run systemctl --user disable --now nvmconf.service, then clear the systemd description configuration and drop directories. Wipe Cache & Re-lock: Force purge global build package targets using npm cache clean --force. Roll back @mastra/* dependencies in your package.json to known-clean versions prior to June 17, 2026. Regenerate a clean, secure lockfile from a sterile sandbox environment. 4. Post-Incident Credential & Asset Rotation The malware scans configurations for 160+ unique cryptocurrency browser extensions (e.g., MetaMask, Phantom, Coinbase Wallet) and exfiltrates local browser databases (Chrome, Edge, Brave History records). Web3/Crypto Wallet Migration: If any crypto browser extension was logged into on the compromised machine, changing browser passwords or deleting the plugin is mathematically insufficient. Immediately set up a new, sterile seed phrase on an untainted hardware device and migrate all digital assets off the exposed addresses. Comprehensive Token Revocation: Revoke and rotate all environment files, variables, and API entries accessible to the compromised developer space or CI runner, including: Local or repository-stored npm publish tokens, GitHub PATs, and SSH keys. Cloud infrastructure provider access keys (AWS AccessKey, Alibaba Cloud, Google Cloud service accounts). CI/CD automation pipeline secrets and internal production server deployment keys. Affected Packages: @mastra/node-speaker 0.1.1 @mastra/s3vectors 1.0.7 create-mastra 1.13.1 @mastra/voice-xai-realtime 0.1.2 @mastra/voice-speechify 0.12.2 @mastra/voice-sarvam 1.0.2 @mastra/voice-playai 0.12.2 @mastra/voice-openai-realtime 0.12.6 @mastra/voice-openai 0.12.3 @mastra/voice-murf 0.12.3 @mastra/voice-modelslab 0.1.2 @mastra/voice-inworld 0.3.1 @mastra/voice-google-gemini-live 0.12.2 @mastra/voice-google 0.12.3 @mastra/voice-gladia 0.12.2 @mastra/voice-elevenlabs 0.12.2 @mastra/voice-deepgram 0.12.2 @mastra/voice-cloudflare 0.12.3 @mastra/voice-azure 0.11.2 @mastra/voice-aws-nova-sonic 0.1.4 @mastra/vercel 1.0.1 @mastra/vectorize 1.0.3 @mastra/upstash 1.1.3 @mastra/twilio 1.0.2 @mastra/turbopuffer 1.0.3 @mastra/temporal 0.1.14 @mastra/tavily 1.0.3 @mastra/stagehand 0.2.5 @mastra/speech-speechify 0.2.1 @mastra/speech-replicate 0.2.1 @mastra/speech-openai 0.2.1 @mastra/speech-murf 0.2.1 @mastra/speech-ibm 0.2.1 @mastra/speech-google 0.2.1 @mastra/speech-elevenlabs 0.2.1 @mastra/speech-azure 0.2.1 @mastra/spanner 1.1.2 @mastra/slack 1.3.1 @mastra/server 2.1.1 @mastra/redis-streams 0.0.4 @mastra/redis 1.1.3 @mastra/react 1.0.1 @mastra/railway 0.1.1 @mastra/qdrant 1.0.3 @mastra/playground-ui 33.0.1 @mastra/pinecone 1.0.2 @mastra/perplexity 0.1.1 @mastra/otel-exporter 1.2.3 @mastra/opensearch 1.0.3 @mastra/opencode 0.0.47 @mastra/openai 1.0.2 @mastra/observability 1.14.2 @mastra/node-audio 0.1.8 @mastra/nestjs 0.1.15 @mastra/mysql 0.1.1 @mastra/mssql 1.3.2 @mastra/modal 0.2.2 @mastra/memory 1.20.4 @mastra/mem0 0.1.14 @mastra/mcp-registry-registry 1.0.2 @mastra/longmemeval 1.0.50 @mastra/loggers 1.1.3 @mastra/lance 1.0.7 @mastra/laminar 1.2.3 @mastra/koa 1.5.14 @mastra/google-drive 0.1.1 @mastra/google-cloud-pubsub 1.0.6 @mastra/github-signals 0.1.2 @mastra/gcs 0.2.3 @mastra/files-sdk 0.2.1 @mastra/express 1.3.31 @mastra/engine 0.1.1 @mastra/elasticsearch 1.2.1 @mastra/e2b 0.3.4 @mastra/dsql 1.0.3 @mastra/docker 0.3.1 @mastra/deployer-vercel 1.1.38 @mastra/deployer-netlify 1.1.20 @mastra/deployer-cloudflare 1.1.44 @mastra/deployer-cloud 1.42.1 @mastra/deployer 1.42.1 @mastra/daytona 0.4.2 @mastra/dane 1.0.2 @mastra/cursor 0.2.1 @mastra/couchbase 1.0.4 @mastra/core 1.42.1 @mastra/convex 1.2.2 @mastra/codemod 1.0.4 @mastra/cloudflare-d1 1.0.7 @mastra/cloudflare 1.4.2 @mastra/cloud 0.1.24 @mastra/client-js 1.24.1 @mastra/claude 1.0.3 @mastra/chroma 1.0.2 @mastra/browser-viewer 0.1.3 @mastra/browser-firecrawl 0.1.1 @mastra/brightdata 0.2.2 @mastra/blaxel 0.4.2 @mastra/azure 0.2.3 @mastra/auth-workos 1.5.3 @mastra/auth-supabase 1.0.2 @mastra/auth-studio 1.2.4 @mastra/auth-okta 0.0.5 @mastra/auth-firebase 1.0.1 @mastra/auth-cloud 1.1.4 @mastra/auth-clerk 1.0.3 @mastra/auth-better-auth 1.0.4 @mastra/auth-auth0 1.0.2 @mastra/astra 1.0.2 @mastra/arthur 0.3.3 @mastra/arize 1.2.3 @mastra/agentfs 0.1.1 @mastra/agentcore 0.2.2 @mastra/agent-builder 1.0.42 @mastra/agent-browser 0.3.2 @mastra/acp 0.2.2 @mastra/libsql 1.13.1 @mastra/langsmith 1.2.4 @mastra/inngest 1.5.2 @mastra/langfuse 1.3.6 @mastra/mcp-docs-server 1.1.47 @mastra/mcp 1.10.1 @mastra/mongodb 1.9.3 @mastra/otel-bridge 1.2.3 @mastra/pg 1.13.1 @mastra/posthog 1.0.29 @mastra/rag 2.2.2 @mastra/s3 0.5.3 @mastra/sentry 1.1.4 @mastra/schema-compat 1.2.12 mastra 1.13.1 @mastra/duckdb 1.4.3 @mastra/ai-sdk 1.4.6 @mastra/auth 1.0.3 @mastra/braintrust 1.1.4 @mastra/clickhouse 1.10.1 @mastra/datadog 1.2.5 @mastra/dynamodb 1.0.9 @mastra/evals 1.3.1 @mastra/editor 0.11.3 @mastra/fastify 1.3.31 @mastra/fastembed 1.1.3 @mastra/hono 1.4.26 easy-day-js 1.11.22 mastraqqq 1.13.1 Indicators of Compromise (IOCs) Network Indicators: 23.254.164[.]92 https://23.254.164[.]92:8000/update/49890878 23.254.164[.]123 https://23.254.164[.]123:443/49890878 AS54290 (Hostwinds LLC) hwsrv-1327786.hostwindsdns[.]com hwsrv-1327785.hostwindsdns[.]com Code and String Indicators: NvmProtocal (Windows Run-key value name) com.nvm.protocal (macOS LaunchAgent label) nvmconf.service (Linux systemd unit name) protocal.cjs (dropped stage-2 filename) NodePackages (drop directory name (Win/mac/Linux variants)) .pkg_history / .pkg_logs (loader beacon/marker files) /update/49890878 (stage-2 download path / bot id) SHA-256 Hashes: b122a9873bedf145ae2a7fd024b5f309007dbb025149f4dc4ac3f7e4f32a36a4 - easy-day-js setup.cjs (stage-1 loader) c38954e85bf5433e61e7c8f4230336695624ae88b6953afabf7bf817aa91b638 - easy-day-js@1.11.22 package.json cdec8b20338beb708b5be8d3d7a3041a35a8b0fb92f9186262f312d55ff82066 - loader variant 9570f77a5e1511869f4e554e7166df9fde081f2583e293c2569621792ed7d9c9 - loader variant 221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badf - stage-2 stealer