VDB
GCVE-110-OSM-2026-6217
GCVE-110-OSM-2026-6217
Advisory PublishedCVSS 9.6/10
@mastra/engine@0.1.1 was trojanized in the coordinated supply chain attack on the @mastra npm organization on 2026-06-17 (01:12-02:24 UTC). A compromised maintainer account published this version with an injected dependency on easy-day-js@^1.11.21, which resolves to the weaponized easy-day-js@1.11.22 whose postinstall dropper (setup.cjs) disables TLS, fetches a remote payload from C2 23.254.164.92:8000, spawns a persistent detached process, and self-deletes. Released without SLSA provenance attestations.
Malicious payload delivered via injected dependency easy-day-js@^1.11.21 (resolves to weaponized easy-day-js@1.11.22).
Postinstall hook: "node setup.cjs --no-warnings"
Dropper file: setup.cjs (4,572 bytes)
Behavior: sets NODE_TLS_REJECT_UNAUTHORIZED=0 to disable TLS validation, fetches second-stage payload from C2 at https://23.254.164.92:8000/update/49890878, writes it to a randomly named temp file, spawns a persistent detached Node process, then self-deletes.
Stage-1 C2: 23.254.164.92:8000 | Stage-2 C2: 23.254.164.123:443
Beacon files: <tmpdir>/.pkg_history, <tmpdir>/.pkg_logs
Compromised maintainers: sergey2016 (sergey2016@tutamail.com), ehindero (ehindero2016@tutamail.com)
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @mastra/engine | 0.1.1 (affected) | — |
Browse GCVE Records
71,925 records in the GCVE database · Updated July 13, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.