144 npm packages of the AI developer platform Mastra were poisoned with malicious code through a hijacked contributor account.