144 Mastra npm Packages Compromised via Hijacked Contributor Account
A software supply chain attack codenamed easy-day-js compromised 144 npm packages associated with the Mastra namespace, a popular open-source framework for building AI applications, after attackers mass-published more than 140 malicious packages within an 88-minute automated window using a single hijacked npm account. The malicious code was introduced through a third-party dependency named “easy-day-js” — a functional clone of the legitimate “dayjs” date library — that triggers a postinstall hook downloading a cryptocurrency-stealing remote access trojan from attacker infrastructure after disabling TLS certificate validation. Because Mastra sits at the intersection of AI development and cloud infrastructure, packages built on it are routinely installed in environments holding sensitive credentials, making this an especially high-value target; developers using any Mastra-scoped package should audit recent installs and rotate exposed credentials immediately.
Fifteen JetBrains Marketplace Plugins Steal API Keys
Researchers at Aikido identified at least 15 malicious IDE plugins on the JetBrains Marketplace, dating back to October 2025 with new releases as recently as June 10, all posing as legitimate AI coding assistants offering chat, commit message generation, code review, and bug-finding features built on models like DeepSeek and OpenAI. The plugins function exactly as advertised, but the AI provider API key a user enters during setup — which feels routine since the plugin needs it to call the model — gets silently exfiltrated to attacker-controlled infrastructure. Two of the plugins, CodeGPT AI Assistant and DeepSeek AI Assist, show more than 25,000 downloads each, though it’s unclear whether those numbers are authentic or artificially inflated; developers who have installed AI-themed JetBrains plugins should review the full list and rotate any API keys entered into them.
“We Hit the UK Hard”: 9 Million Targeted in Boots Gift Scam Hosted on Hacked Government Website
Nearly 9 million people were targeted in a large-scale phishing campaign impersonating UK retail giant Boots, using personalized fake customer survey and free-gift emails to harvest personal details and payment card information. The attackers hosted the fraudulent Boots page on a compromised Bolivian government website to lend the scam additional credibility, and researchers believe the operation was run by Romanian-speaking threat actors who were simultaneously rotating similarly themed scams impersonating HMRC and Solana. Huntress, which uncovered the phishing infrastructure, notified both the affected domain owner and Bolivia’s national CSIRT — but the scale and personalization of the campaign underscore how convincingly brand impersonation can be staged using compromised, seemingly unrelated infrastructure.
FTC Warns of Record $3.5 Billion Losses to Imposter Scams in 2025
The FTC reported that Americans lost $3.5 billion to imposter scams in 2025, with reported losses nearly tripling since 2020, making imposter scams the most reported fraud category last year at nearly one in three fraud reports filed with the agency. Victims lost almost $1 billion to business impersonators — bank impersonators were the most lucrative — and roughly $920 million to government impersonators, while social media emerged as the most cost-effective vector for scammers, with losses there increasing eightfold since 2020 to surpass $2.1 billion. The report adds further context to the FBI’s own 2025 Internet Crime Report, which found Americans lost nearly $21 billion to cyber-enabled crime overall last year, underscoring how impersonation-based social engineering continues to scale faster than most technical attack categories.
Iranian Cyber Group Handala Claims Cal Water Hack
The Iran-linked threat actor Handala claimed to have hacked California Water Service, one of the largest investor-owned water utilities in the US with roughly two million customers, publishing 5GB of allegedly stolen data including customer personal information and credentials for the utility’s RTKBase GNSS platform. The group, widely believed to be a front for an Iranian state-sponsored actor operating under Iran’s Ministry of Intelligence and Security, framed the intrusion as retaliation for recent US military action against Iran and claimed it could have disrupted water service but chose not to. Threat intelligence firm Dataminr assessed that Handala likely compromised the RTKBase instance before moving laterally into a billing system, and warned that the group’s typical pattern involves an initial claim followed by escalated, potentially destructive follow-on activity — Cal Water has confirmed it is investigating and reports no disruption to water or wastewater operations so far.
