BREAKING
144 @mastra npm packages compromised
0
packages hit
0
M
weekly downloads
0
K
@mastra/core alone
How the attack unfolded
1
Hijack ehindero account
↓
2
Add easy-day-js typosquat
↓
3
Swap malicious v1.11.22
↓
4
Postinstall runs setup.cjs
Cross-platform infostealer payload
What developers should do now
Immediate steps
●
Roll back to mastra@1.13.0
●
Rotate all credentials
●
Check ~/.pkg_history IOC
Going forward
●
Use lockfiles
●
Verify provenance/SLSA
●
Pin exact versions
Stay alert and verify sources
AI NEWS BLITZ
A supply chain attack hit the @mastra npm scope with credential-stealing malware.