thehackernews.com web signal

Mastra npm Supply Chain Attack Backdoors 144 Packages

agents cybersecurity open source ai-supply-chain npm-security malware

Key insights

  • Former contributor account "ehindero" retained @mastra npm scope access after leaving, letting attackers publish over 140 malicious packages in just 88 minutes.
  • Malware was hidden in "easy-day-js," a fake clone of the legitimate dayjs library, executing automatically via npm postinstall hooks before any import occurs.
  • @mastra/core alone exceeds 918,000 weekly downloads, giving this supply chain attack a large potential blast radius across AI application development teams.

Why this matters

AI development teams using Mastra face a demonstrated path where a single unrevoked contributor credential silently backdoors 144 packages reaching nearly a million weekly installs with no changes required to the primary repository. The payload specifically targets 160+ cryptocurrency wallet extensions alongside enterprise credentials, meaning affected developers face simultaneous financial theft and organizational security exposure from a single compromised install. Postinstall hooks execute before any developer inspection occurs, making dependency pinning and code review insufficient defenses without active access revocation and install-time sandboxing policies.

Summary

144 @mastra npm packages were backdoored on June 17, 2026 via a hijacked contributor account, hitting the Mastra open-source AI framework for JavaScript and TypeScript developers. Attackers compromised "ehindero," a former contributor whose scope access was never revoked, then published over 140 malicious packages in just 88 minutes. The malware was not embedded directly in the packages but in "easy-day-js," a fake clone of the legitimate dayjs date library, which fires via a postinstall hook to drop a cross-platform information stealer across Windows, macOS, and Linux. Essentially: (Mastra, npm) show how one unrevoked contributor account turns a trusted package namespace into a ready-made attack vector. - Stealer targets 160+ cryptocurrency wallet extensions plus browser history and credentials - @mastra/core alone draws over 918,000 weekly downloads, giving the campaign a large potential blast radius - Payload executes at install time, before any package is imported, bypassing developer-side inspection For AI teams building on npm, postinstall hooks are now an active exploit surface that access revocation policies, not just code review, must address.

Potential risks and opportunities

Risks

  • Developers who installed any of the 144 @mastra packages during the 88-minute publication window may have persistent information-stealing malware with live C2 connectivity active across Windows, macOS, and Linux systems
  • Organizations building AI applications on Mastra face potential exfiltration of environment secrets and API keys, which could expose downstream AI pipelines, model endpoints, and production infrastructure
  • The 160+ cryptocurrency wallet extensions targeted by the stealer put individual developers at direct financial risk if crypto credentials were harvested before packages were removed

Opportunities

  • npm package security vendors (Socket.dev, Phylum, Snyk) can demonstrate real-time postinstall hook detection as a differentiated capability following this high-visibility attack on a major AI framework
  • Mastra maintainers have grounds to implement mandatory MFA and automated scope-access revocation, potentially establishing a contributor offboarding model for AI-adjacent open-source projects
  • Enterprises procuring AI development tooling now have a concrete incident to justify requiring software composition analysis with install-time sandboxing as a vendor security baseline in procurement

What we don't know yet

  • Whether npm's security team removed all 144 malicious packages and how long the exposure window lasted between the 88-minute publication window and public takedown on June 17, 2026
  • How many of the 918,000+ weekly @mastra/core installers ran affected versions, and whether Mastra or npm has confirmed any credential exfiltrations or active infections
  • Attribution behind the hijack of the "ehindero" account remains unconfirmed, with no threat actor, ransomware group, or nation-state link identified in public reporting

Originally reported by thehackernews.com

Read the original article →

Original headline: 144 Mastra AI Framework npm Packages Backdoored via Hijacked Contributor Account — 1.1M Weekly Downloads Exposed to Info-Stealing Dropper