BREAKING
144 @mastra npm packages compromised
0
packages hit
0M
weekly downloads
0K
@mastra/core alone
How the attack unfolded
1Hijack ehindero account
2Add easy-day-js typosquat
3Swap malicious v1.11.22
4Postinstall runs setup.cjs
Cross-platform infostealer payload
What developers should do now
Immediate steps
Roll back to mastra@1.13.0
Rotate all credentials
Check ~/.pkg_history IOC
Going forward
Use lockfiles
Verify provenance/SLSA
Pin exact versions
Stay alert and verify sources
AI NEWS BLITZ
A supply chain attack hit the @mastra npm scope with credential-stealing malware.