VDB

GCVE-110-OSM-2026-6119

GCVE-110-OSM-2026-6119
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 17, 2026
@mastra/fastify@1.3.31 was trojanized as part of a coordinated supply chain attack on the @mastra npm organization on 2026-06-17 between 01:12-02:24 UTC. A compromised maintainer account ('ehindero', ehindero2016@tutamail.com) published this version with an injected dependency on easy-day-js@^1.11.21, which resolved via semver to the weaponized easy-day-js@1.11.22. That package's postinstall hook (setup.cjs) executes a dropper that disables TLS, fetches a remote payload from C2 at 23.254.164.92:8000/update/49890878, writes it to a randomly named file, spawns a persistent detached process, and self-deletes. All 116 packages across the scope were hit in a 72-minute window. This release lacks SLSA provenance attestations, confirming out-of-band publication. Weaponized postinstall hook in easy-day-js@1.11.22 executes setup.cjs (4.5 KB, obfuscated with base64-decoded string arrays) at npm install time. Execution chain: 1. Sets NODE_TLS_REJECT_UNAUTHORIZED='0' to disable TLS validation. 2. Drops marker files ~/.pkg_history (containing the install path) and ~/.pkg_logs. 3. Fetches second-stage payload via HTTPS from https://23.254.164.92:8000/update/49890878. As of time of analysis, this endpoint returned not found — payload no longer reachable. 4. Writes payload to a randomly named file (<24-hex-chars>.js) in the user home directory. 5. Spawns a detached child Node.js process (spawn(process.execPath, ...).unref()) with windowsHide: true to persist after parent exits. 6. Self-deletes the dropper via fs.rmSync(__filename, { force: true }) in the finally block. Network indicators: - https://23.254.164.92:8000/update/49890878 — second-stage payload URL (primary C2) - 23.254.164.123:443 — secondary endpoint on the same /24; both should be blocked Package indicators: - easy-day-js@1.11.22 — weaponized dropper - easy-day-js@1.11.21 — clean decoy, still attacker-controlled, should be blocked - Publisher: ehindero / ehindero2016@tutamail.com — account used for every malicious publish - Any @mastra/* or mastra version published 2026-06-17 without SLSA provenance — manual publish outside CI File and behavioral indicators: - ~/.pkg_history — marker file containing the install path - ~/.pkg_logs — marker file dropped by the hook - ~/<24-hex>.js — the fetched second-stage payload - node setup.cjs running during npm install — the dropper process - NODE_TLS_REJECT_UNAUTHORIZED=0 set by an install script — TLS validation disabled - Detached node child process spawned during install — the running payload Code markers in easy-day-js@1.11.22: - "postinstall": "node setup.cjs --no-warnings" in package.json - process.env.NODE_TLS_REJECT_UNAUTHORIZED='0' in setup.cjs - Buffer.from(...); ... spawn(process.execPath, ...).unref() — detached payload launch - fs.rmSync(__filename, { force: true }) — self-delete in finally block

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@mastra/fastify1.3.31 (affected), 1.3.31 (affected)

References

vendor

Browse GCVE Records

71,925 records in the GCVE database · Updated July 13, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›