Post
CRITICAL ⚡ MUST-KNOW

144 Mastra npm Packages Compromised in Supply Chain Attack

· supply-chain · npm · llm · malware

As many as 144 npm packages under the “@mastra/*” namespace — used by the open-source Mastra framework for building AI applications — were compromised in a supply chain attack tracked as “easy-day-js.” A single hijacked npm account (“ehindero”) was used to mass-publish malicious versions of the packages. The compromise was jointly identified by JFrog, SafeDep, Socket, and StepSecurity. Teams depending on Mastra should audit lockfiles for affected versions, rotate credentials exposed to build environments that pulled the packages, and pin to known-good releases until the namespace is confirmed clean.