SECURITYTHE HACKER NEWS
144 Mastra npm Packages Compromised via Hijacked Contributor Account
144 npm packages under the Mastra namespace (@mastra/*) were compromised in a supply chain attack named easy-day-js. A single npm account (ehindero) was used to mass-publish malicious packages, according to findings from JFrog, SafeDep, Socket, and StepSecurity.
Mentioned
Related Signal
Adjacent reporting
- IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks
- Shai Hulud attack ships signed malicious TanStack, Mistral npm packages
- New Shai-Hulud malware wave compromises 600 npm packages
- SAP npm Packages Compromised by “Mini Shai-Hulud” Credential-Stealing Malware
- TeamPCP Hits SAP Packages With 'Mini Shai-Hulud' Attack
- Lone attacker published 14 malicious npm packages mimicking popular OpenSearch, Elasticsearch libraries