CyberSip™ — Issue 66 — June 17, 2026

Today’s picture

An attacker hijacked a dormant npm contributor account and used it to compromise more than 140 packages across the Mastra AI framework, an open source tool for building artificial intelligence applications with combined weekly downloads exceeding 1.1 million. The malicious code arrived through a typosquatted dependency called easy-day-js, published as a clean decoy one day before being weaponised with an obfuscated postinstall hook that drops a cross platform infostealer. Microsoft formally assigned CVE-2026-50656 to RoguePlanet, the Microsoft Defender zero-day that researcher Nightmare Eclipse released a week ago, and confirmed it is working on a patch with no release date set. CISA added a maximum severity flaw in the Joomla Content Editor widget plugin to its Known Exploited Vulnerabilities catalog after confirming active exploitation that allows unauthenticated PHP code execution.

Threat snapshot

3 active items · 2 monitoring

Mastra npm supply chain / 140+ packages / removed RoguePlanet / CVE assigned / no patch yet Joomla JCE CVSS 10.0 / exploited / CISA KEV 3 items this issue

June 17npm Supply ChainRemoved

A hijacked npm contributor account compromised 140 plus Mastra AI framework packages via a typosquatted dependency that drops an infostealer. Combined weekly downloads exceed 1.1 million. Packages removed; treat any install since June 16 as compromised.

The attacker used the account ehindero, a former contributor whose publish access was never revoked, to republish the entire Mastra scope in an 88 minute window. The payload runs during npm install itself, before any developer imports the package, which means exposure depends on whether the install ran, not on whether the code was ever used.

RoguePlanetNo Patch

Microsoft formally assigns CVE-2026-50656 to RoguePlanet, the Defender race condition zero-day released a week ago. Working on a fix. No release date set.

The flaw grants SYSTEM privileges via a race condition in the Microsoft Malware Protection Engine. Works on fully patched Windows 10 and 11. Microsoft rates exploitation as more likely but has not observed active attacks. No CVE credit given to the researcher.

June 16Joomla JCECISA KEV

CISA adds CVE-2026-48907 CVSS 10.0 to KEV. Improper access control in the Widget Factory Joomla Content Editor allows unauthenticated PHP code upload and execution.

An attacker creates a new editor profile for unauthenticated users, opening a path to upload and run arbitrary PHP. Any Joomla site running the JCE editor extension should patch immediately and review for unauthorised editor profiles.

Detailed intelligence

Full analysis

01 npm Supply Chain Removed

Mastra AI framework compromised via a hijacked npm account. A typosquatted dependency drops a cross platform infostealer on install. Over 140 packages affected, downloads exceeding 1.1 million weekly.

easy-day-js · No CVE Assigned

An attacker took over the npm account ehindero, belonging to a former Mastra contributor whose scope publish access had never been revoked, and used it to republish the entire Mastra package scope with a single malicious dependency injected into each one. npm has removed the malicious versions and revoked the attacker's access.

Executive Impact

If any developer workstation, CI runner, or build environment in your organisation ran npm install or npm update against a Mastra package on or after June 16, 2026, treat that system as compromised. The malware executes during installation itself, before the package is ever imported into application code, so exposure depends on whether the install ran rather than whether anyone used the package afterward.

Don’t Miss

Mastra sits at the intersection of AI development and cloud infrastructure, and its packages routinely run in environments holding some of the most sensitive credentials in modern software development, including API keys for model providers, cloud provider access, and CI/CD secrets. The attacker structured the campaign for stealth: a clean decoy version of the malicious dependency published a day earlier to establish a benign history, followed by the weaponised version tagged as latest so that caret range dependency resolution would silently pull it into every consumer without any change to Mastra's own source code. The Mastra source code itself was never modified, which means code review of the Mastra repository would have shown nothing wrong. Only install time scanning catches an attack delivered through a dependency that is never imported anywhere in the source tree.

CyberSip Take

A stale contributor credential with publish rights that nobody revoked turned a trusted AI framework into a delivery mechanism for an infostealer. This is the same root cause this brief has documented before with Nx Console and other supply chain incidents: access that outlives its purpose. If your organisation maintains any open source package, audit who still has publish rights and remove anyone who is no longer actively contributing. If you installed any Mastra package in the last day, rotate every credential the affected machine could reach.

What happened

The ehindero npm account, belonging to a legitimate former Mastra contributor, was compromised by an attacker who still had publish access to the entire @mastra scope despite having gone dormant since late 2024 or early 2025. On June 16, 2026 at 07:05 UTC, the attacker published a clean, fully functional copy of a package called easy-day-js, a deliberate impersonation of the popular dayjs date library, with no malicious code, establishing a benign version history. The following day, June 17 at 01:01 UTC, the attacker published easy-day-js version 1.11.22, identical in its core code but adding a postinstall hook that executes an obfuscated dropper script.

Eleven minutes later, the attacker began an automated publishing campaign using the compromised account, republishing more than 140 packages across the Mastra scope, including the high profile @mastra/core package with roughly 918,000 weekly downloads, each with easy-day-js silently added as a production dependency. The entire campaign ran for approximately 88 minutes. Because the dependency was specified with a caret range, any system that ran npm install against an affected Mastra package automatically resolved to the weaponised version of easy-day-js.

The postinstall hook disabled TLS certificate validation, downloaded a second stage payload from attacker controlled infrastructure, executed it as a detached background process, and deleted itself to minimise forensic traces. Researchers at Snyk, Socket, JFrog, Microsoft, and several other security vendors detected the campaign within minutes of publication. Microsoft Threat Intelligence shared its findings with the npm security team, the malicious package versions were removed, and the attacker's publish access to the @mastra scope was revoked. Mastra's maintainers responded the same day, forward rolling 142 publishable packages with clean versions.

Recommended actions

Check for the presence of easy-day-js in node_modules or package-lock.json files across all projects and CI/CD environments. Any match indicates the system ran an install against a compromised version.
Treat any developer workstation, CI runner, or build environment that ran npm install or npm update against a Mastra package on or after June 16, 2026 as compromised, regardless of whether the package was later imported or used.
Rotate npm tokens, cloud provider keys, AI model provider API keys, CI/CD secrets, and SSH credentials on any affected system.
Roll back to a clean Mastra version: mastra and create-mastra 1.13.0 or earlier, @mastra/core 1.42.0 or earlier, and run installs with the ignore scripts flag while validating dependency trees going forward.

Derived from Microsoft Security Blog, Socket, Snyk, and The Hacker News reporting on the Mastra npm supply chain attack, June 17, 2026.

02 RoguePlanet No Patch

Microsoft formally assigns CVE-2026-50656 to the RoguePlanet Defender zero-day. Confirms a fix is in development. No timeline given for release.

CVE-2026-50656 · CVSS 7.8

A week after researcher Nightmare Eclipse released RoguePlanet hours after June Patch Tuesday, Microsoft published an advisory acknowledging the flaw and assigning it a formal CVE identifier. The vulnerability is a race condition in the Microsoft Malware Protection Engine that grants SYSTEM level privileges on fully patched Windows 10 and 11 systems.

Executive Impact

A CVE assignment without a patch changes how the flaw should be tracked but does not change the operational risk. RoguePlanet remains exploitable today exactly as it has been since June 10. ThreatLocker confirmed application allowlisting prevents the exploit from executing. Organisations without allowlisting deployed should review attack surface reduction rules and monitor for unexpected SYSTEM level process creation while awaiting Microsoft's fix.

Don’t Miss

Microsoft's advisory did not credit Nightmare Eclipse for the discovery, consistent with the company's handling of the researcher's prior disclosures and reflecting the ongoing dispute over coordinated vulnerability disclosure practices. Microsoft has not committed to an out of band release, meaning CVE-2026-50656 could plausibly remain unpatched until the next scheduled Patch Tuesday. The researcher has stated that the exploit works regardless of whether Defender's real time protection is enabled, which widens the population of potentially affected systems beyond what might otherwise be assumed.

CyberSip Take

A CVE number is bookkeeping, not protection. The exploit has worked since June 10 and continues to work today. If application allowlisting is not already deployed on Windows endpoints in your environment, this is the reason to prioritise it. Waiting for Microsoft's patch is reasonable for low risk endpoints, but treat any high value Windows system as exposed until a fix actually ships.

What happened

Microsoft published an advisory on June 16, 2026 acknowledging an elevation of privilege vulnerability in the Microsoft Malware Protection Engine, publicly known as RoguePlanet, and assigning it the identifier CVE-2026-50656 with a CVSS score of 7.8. The advisory states Microsoft is working on a high quality security update and will provide release information once available. The company has not detected exploitation of the vulnerability in the wild but rates it as exploitation more likely under its exploitability index.

RoguePlanet was originally released by the researcher known as Nightmare Eclipse, also tracked as Chaotic Eclipse, on June 10, hours after Microsoft's June Patch Tuesday updates shipped. The exploit takes advantage of a time of check to time of use race condition in Defender's real time scanning engine, replacing a file between the moment Defender verifies its path and the moment it acts on that file, allowing the substituted payload to execute with SYSTEM level privileges since Defender runs under that account.

RoguePlanet is the eighth public zero-day the researcher has released since around April 2026, following BlueHammer, RedSun, UnDefend, GreenPlasma, MiniPlasma, and YellowKey, three of which Microsoft fixed during June Patch Tuesday in the same week RoguePlanet appeared. The dispute between Nightmare Eclipse and Microsoft over disclosure practices remains unresolved, and Microsoft's advisory continued the pattern of not crediting the researcher.

Recommended actions

Verify application allowlisting is enforced on Windows 10 and 11 endpoints. This remains the confirmed effective control against RoguePlanet pending a Microsoft patch.
Enable cloud delivered protection and attack surface reduction rules in block mode where not already configured.
Monitor Windows event logs for unexpected SYSTEM level process creation from the Defender malware protection engine, the behavioural indicator for a successful exploitation attempt.
Continue monitoring Microsoft's Security Update Guide for CVE-2026-50656 and apply the patch immediately once it ships, including out of band if Microsoft chooses to release one before the next scheduled Patch Tuesday.

Derived from Help Net Security, BleepingComputer, and SecurityWeek reporting on CVE-2026-50656, June 16–17, 2026.

03 Joomla JCE CISA KEV

CISA flags a maximum severity Joomla Content Editor flaw under active exploitation. Unauthenticated attackers can create editor profiles that allow PHP code upload and execution.

CVE-2026-48907 · CVSS 10.0

CISA added CVE-2026-48907 to its Known Exploited Vulnerabilities catalog after confirming active exploitation. The flaw is an improper access control issue in the Widget Factory Joomla Content Editor extension that allows the creation of new editor profiles for unauthenticated users, opening a path to upload and execute arbitrary PHP code.

Executive Impact

Any Joomla site running the JCE editor extension should treat this as an urgent priority. A maximum CVSS score combined with confirmed active exploitation and no authentication requirement means any internet facing Joomla installation with this extension is a live target today. Update the JCE extension to the patched version immediately and review the site for unauthorised editor profiles that may already have been created.

Don’t Miss

CISA's KEV addition gives federal civilian agencies a binding remediation deadline, but the maximum severity score and confirmed real world exploitation mean private organisations should treat the deadline as effectively immediate rather than waiting for a formal compliance window. Content management system plugins are a persistent and often underappreciated attack surface specifically because they frequently receive less security scrutiny than the core platform itself, while still carrying the same level of access to the underlying server.

CyberSip Take

A maximum severity score, unauthenticated access, and confirmed exploitation is the combination that defines an emergency patch rather than a scheduled one. If JCE runs on any Joomla site your organisation operates, patch today and audit for editor profiles that should not exist.

What happened

CISA added CVE-2026-48907 to its Known Exploited Vulnerabilities catalog on June 16, 2026, citing evidence of active exploitation. The vulnerability resides in the JCE editor extension for Joomla and allows an attacker to create new editor profiles for unauthenticated users. Once such a profile exists, it can be used to upload and execute arbitrary PHP code on the underlying server, effectively giving the attacker full code execution.

The vulnerability carries a maximum CVSS score of 10.0, reflecting both the low complexity of exploitation and the severity of the resulting access. CISA's KEV addition requires federal civilian executive branch agencies to apply available fixes within the standard remediation window under Binding Operational Directive 22-01.

Recommended actions

Update the JCE editor extension to the patched version on all Joomla sites where it is installed.
Review the site's editor profiles for any unauthorised or unexpected entries that may indicate prior exploitation.
For sites where the extension cannot be patched immediately, consider disabling JCE entirely until the update can be applied.

Derived from The Hacker News and CISA KEV catalog entry for CVE-2026-48907, June 16–17, 2026.

Still watching

Aging items · days 2–6

Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.

LiteLLM CVSS 9.9 vulnerability chain (Issue 64). Patch available since May 2 in v1.83.14-stable. CVE-2026-42271 is in CISA KEV with a June 22 deadline. Upgrade and rotate all API keys. Day 3

Ivanti Sentry CVE-2026-10520 CVSS 10.0 (Issue 63). Backdoored instances confirmed. CISA deadline has passed. Patch to R10.5.2, R10.6.2, or R10.7.1. Verify port 8443 is not internet-exposed. Day 4

Cross-source standouts

A dormant credential with publish rights is a standing liability, not a closed chapter

The ehindero account had not actively published to Mastra since late 2024 or early 2025. Its scope access was never revoked. That single oversight gave an attacker the keys to an entire AI framework ecosystem with over a million weekly downloads. This is structurally identical to the access pattern this brief flagged with Nx Console earlier in the year: credentials that outlive the relationship that justified them. Every organisation maintaining open source packages, internal repositories, or shared infrastructure has some version of this exposure sitting quietly in an access control list. The fix is not exotic. It is a recurring audit of who holds publish, write, or admin access, and a default assumption that access should expire unless actively renewed.

RoguePlanet's CVE assignment closes a documentation gap, not a security gap

This brief tracked RoguePlanet in the monitoring strip from Issue 59 through Issue 65 as an unpatched, uncredited zero-day. It now has a formal identifier and an acknowledgement from Microsoft, but the actual security posture for affected organisations has not changed at all: there is still no patch, and the exploit still works exactly as it did a week ago. The lesson is to separate the administrative status of a vulnerability, whether it has a CVE, whether a vendor has acknowledged it, from its actual exploitability. A named, tracked, vendor acknowledged vulnerability with no patch carries the same operational risk today as it did as an obscure proof of concept on a researcher's self hosted Git server.