144 Mastra npm Packages Compromised via Hijacked Contributor Account

As many as 144 npm packages associated with the Mastra namespace ("@mastra/*"), a popular open-source JavaScript and TypeScript framework for building artificial intelligence (AI) applications, have been compromised as part of a software supply chain attack codenamed easy-day-js, per findings from JFrog, SafeDep, Socket, and StepSecurity. "A single npm account (ehindero) mass-published more

The article reports that a hijacked contributor account was used to compromise around 144 npm packages in the @mastra namespace, an open-source JavaScript/TypeScript framework for building AI applications, as part of the "easy-day-js" software supply chain attack.[1][7] Security researchers from JFrog, SafeDep, Socket, and StepSecurity found that a malicious dependency (easy-day-js) was mass-added across the Mastra ecosystem, impacting packages with significant download volume.[1][7] From a CyberSE.AI perspective, this illustrates a critical AI supply chain risk: AI frameworks and libraries can be poisoned through compromised maintainer accounts and typosquatted dependencies, so organizations should enforce SBOM-based dependency tracking, lockfile and provenance verification, and strong maintainer account security as part of an AI-focused supply chain and readiness program.