144 npm packages in the Mastra AI framework namespace were compromised after an attacker hijacked a contributor’s npm account, in an attack dubbed ’easy-day-js’. The malicious packages could have been pulled into AI application builds by developers unaware of the compromise. This is a classic software supply chain attack, where trust in a legitimate open-source project is exploited to distribute malicious code at scale.

Security Architect’s Take: Audit your dependency trees immediately for any ‘@mastra/*’ packages and verify package integrity against known-good checksums or publish timestamps. Enforce npm account MFA requirements for all contributors in internally mirrored or approved package registries, and consider implementing a software composition analysis (SCA) tool with real-time supply chain monitoring to catch future account hijack incidents before they reach your builds.

Original advisory: 144 Mastra npm Packages Compromised via Hijacked Contributor Account