The npm maintainer account for the Mastra AI framework was hijacked and used to inject a remote access trojan and credential-stealing payload into 140-plus packages via the typosquatted easy-day-js dependency. Any developer workstation or CI/CD pipeline that ran npm install or npm update against any @mastra scoped package after June 17, 2026 at 01:01 UTC must be treated as fully compromised with immediate isolation required. The payload executes at install time before application code, bypassing application-layer sandboxing.