144 Mastra npm Packages Compromised via Hijacked Contributor Account
Summary
A software supply chain attack, codenamed easy-day-js, has compromised 144 npm packages within the Mastra namespace. The attack was facilitated by a hijacked contributor account, which was used to publish malicious code into these AI development-focused packages.
IFF Assessment
This incident represents a software supply chain attack, which introduces malicious code into widely used development tools, posing a significant risk to downstream applications and defenders.
Defender Context
This incident highlights the critical risks associated with software supply chain attacks, where compromised accounts can lead to widespread malicious code injection into open-source packages. Defenders must be vigilant about the integrity of the software they consume, implementing rigorous vetting processes for dependencies and monitoring for unusual package updates or behaviors.