VDB
GCVE-110-OSM-2026-6119
GCVE-110-OSM-2026-6119
Advisory PublishedCVSS 9.6/10
@mastra/fastify@1.3.31 was trojanized as part of a coordinated supply chain attack on the @mastra npm organization on 2026-06-17 between 01:12-02:24 UTC. A compromised maintainer account ('ehindero', ehindero2016@tutamail.com) published this version with an injected dependency on easy-day-js@^1.11.21, which resolved via semver to the weaponized easy-day-js@1.11.22. That package's postinstall hook (setup.cjs) executes a dropper that disables TLS, fetches a remote payload from C2 at 23.254.164.92:8000/update/49890878, writes it to a randomly named file, spawns a persistent detached process, and self-deletes. All 116 packages across the scope were hit in a 72-minute window. This release lacks SLSA provenance attestations, confirming out-of-band publication.
Weaponized postinstall hook in easy-day-js@1.11.22 executes setup.cjs (4.5 KB, obfuscated with base64-decoded string arrays) at npm install time.
Execution chain:
1. Sets NODE_TLS_REJECT_UNAUTHORIZED='0' to disable TLS validation.
2. Drops marker files ~/.pkg_history (containing the install path) and ~/.pkg_logs.
3. Fetches second-stage payload via HTTPS from https://23.254.164.92:8000/update/49890878. As of time of analysis, this endpoint returned not found — payload no longer reachable.
4. Writes payload to a randomly named file (<24-hex-chars>.js) in the user home directory.
5. Spawns a detached child Node.js process (spawn(process.execPath, ...).unref()) with windowsHide: true to persist after parent exits.
6. Self-deletes the dropper via fs.rmSync(__filename, { force: true }) in the finally block.
Network indicators:
- https://23.254.164.92:8000/update/49890878 — second-stage payload URL (primary C2)
- 23.254.164.123:443 — secondary endpoint on the same /24; both should be blocked
Package indicators:
- easy-day-js@1.11.22 — weaponized dropper
- easy-day-js@1.11.21 — clean decoy, still attacker-controlled, should be blocked
- Publisher: ehindero / ehindero2016@tutamail.com — account used for every malicious publish
- Any @mastra/* or mastra version published 2026-06-17 without SLSA provenance — manual publish outside CI
File and behavioral indicators:
- ~/.pkg_history — marker file containing the install path
- ~/.pkg_logs — marker file dropped by the hook
- ~/<24-hex>.js — the fetched second-stage payload
- node setup.cjs running during npm install — the dropper process
- NODE_TLS_REJECT_UNAUTHORIZED=0 set by an install script — TLS validation disabled
- Detached node child process spawned during install — the running payload
Code markers in easy-day-js@1.11.22:
- "postinstall": "node setup.cjs --no-warnings" in package.json
- process.env.NODE_TLS_REJECT_UNAUTHORIZED='0' in setup.cjs
- Buffer.from(...); ... spawn(process.execPath, ...).unref() — detached payload launch
- fs.rmSync(__filename, { force: true }) — self-delete in finally block
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @mastra/fastify | 1.3.31 (affected), 1.3.31 (affected) | — |
Browse GCVE Records
71,925 records in the GCVE database · Updated July 13, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.