A recent analysis by cybersecurity firms including Endor Labs and JFrog has uncovered that 144 npm packages under the Mastra namespace ('@mastra/*') have been compromised through a hijacked contributor account. This incident, part of a broader software supply chain attack dubbed easy-day-js, underscores the vulnerabilities inherent in open-source software ecosystems. The attack was facilitated by a single npm account belonging to a contributor, raising serious concerns about access controls and the integrity of software dependencies relied upon by developers and organizations alike.
For businesses, this breach serves as a stark reminder of the importance of rigorous security practices when managing software supply chains. Companies utilizing open-source frameworks must enhance their monitoring and auditing processes for third-party packages to mitigate similar risks. This incident not only illustrates the potential for widespread disruption through supply chain attacks but also emphasizes the need for robust cybersecurity measures, including user access management and dependency scanning. As reliance on AI applications continues to grow, ensuring the integrity of the underlying software components becomes crucial for maintaining trust and security in technological solutions.
---
*Originally reported by [The Hacker News](https://thehackernews.com/2026/06/144-mastra-npm-packages-compromised-via.html)*