Mastra's npm supply chain compromise.
On June 17, an attacker took over the @mastra npm account, the publisher of a popular toolkit for building AI applications, and pushed 144 malicious package versions in under 90 minutes. Combined, those packages are downloaded more than a million times a week.
The trick sat one level down. The packages pulled in a dependency called easy-day-js, a near-perfect copy of a common date library that even reused the original author's name and links. After install, it quietly downloaded a second program, ran it, then deleted itself. Developers who install these packages tend to hold AI keys, cloud credentials, and database passwords on the same machine.
npm trusts whoever holds the publishing account. Once that account is taken, every project that pulls the package inherits the attacker's code, and the damage spreads before anyone reads the diff.
Related
SciPHR