1 confirmed incident involving the typosquatting technique.
On June 17, 2026, an attacker compromised the @mastra npm organization and injected easy-day-js, a typosquat of the popular dayjs library, as a dependency across 140+ packages. The malicious package contained an obfuscated postinstall dropper that downloaded and executed a second-stage payload from attacker-controlled servers before self-deleting. The affected packages had a combined weekly download count exceeding 1.1 million.
