At a glance: 144 npm packages of the AI developer platform Mastra were poisoned with malicious code through a hijacked contributor account.
144 npm packages in the Mastra namespace (@mastra/*), a popular open-source framework for AI applications in JavaScript and TypeScript, were compromised through a supply chain attack dubbed “easy-day-js”. The incident was documented by security research teams from JFrog, SafeDep, Socket, and StepSecurity.
A single npm account (ehindero) massively published manipulated versions of well-known Mastra packages. Since Mastra is a widely used framework for AI applications, the reach of this compromise is considerable: development teams using @mastra/* dependencies may have unknowingly integrated malicious code into their projects.
Supply chain attacks on npm packages are critical for CTOs because they break the chain of trust between development and production. A hijacked contributor account allows attackers to publish seemingly legitimate updates without maintainers immediately noticing. Particularly problematic: many organizations do not review every update for suspicious code but instead update automatically.
The detective work of multiple security vendors shows that such attacks can only be uncovered through continuous monitoring of package repositories. CTOs should review their npm audit processes, identify known affected versions, and re-audit affected dependencies.
Source: thehackernews.com · Published June 17, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.