Mastra (@mastra/*) npm packages published from hijacked contributor account

Intelligence Summary

A software supply chain incident compromised many npm packages in the Mastra namespace (@mastra/*). Multiple reports indicate a single npm contributor account was hijacked and then used to mass-publish packages. Tooling findings from JFrog, SafeDep, Socket, and StepSecurity attribute the event to the easy-day-js campaign. The impacted packages may contain malicious changes that downstream developers could unknowingly install. Users should review whether they installed affected versions and verify package integrity before deploying to production.

Recommended Action

Review affected assets, schedule urgent remediation, and monitor related indicators.

Topics