ME News reports that on June 17 (UTC+8), according to SlowMist monitoring, a coordinated supply chain attack is underway targeting over 140 npm packages. The affected packages automatically add a dependency on easy-day-js@^1.11.21 during installation, which resolves to the malicious version easy-day-js@1.11.22, triggering attacker-controlled code via installation hooks. Potential attacker behaviors include: executing code during installation, maintaining persistence on Windows/macOS/Linux, collecting browser history, inventorying cryptocurrency wallet extensions, exposing credentials or CI secrets through subsequent actions, and data exfiltration. For any system that has installed the affected versions, assume a potential compromise: remove the malicious version and easy-day-js, delete node_modules and package caches, reinstall known clean versions (using verified lock files), isolate compromised hosts, retain logs, eliminate persistence mechanisms, and rotate credentials for npm, GitHub, cloud services, SSH/Git, CI/CD, and wallet-related accounts if exposure is suspected. (Source: Foresight News)
Over 140 Mastra npm Packages Targeted in Supply Chain Attack
KuCoinFlashShare
Summary
Over 140 Mastra npm packages were compromised in a supply chain attack, according to MetaEra and SlowMist. The malicious easy-day-js@1.11.22 injects itself as a dependency, enabling code execution and data theft. Attackers can access on-chain data, steal browser history, and detect cryptocurrency wallets. Systems using the affected versions should remove the package, clear node_modules and caches, reinstall verified versions, isolate affected hosts, and rotate credentials. A 51% attack is unlikely but possible if credentials or CI keys are exposed. Logs should be preserved for investigation.
Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information.
Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.