Security researchers have uncovered a concerning software supply chain attack targeting the popular JavaScript ecosystem, with 144 npm packages associated with the Mastra framework compromised in a single coordinated incident. This significant breach underscores the persistent vulnerabilities in open-source package management systems and highlights the growing sophistication of attacks targeting development infrastructure.
The attack, codenamed "easy-day-js," specifically targeted the Mastra namespace ("@mastra/*"), which is widely used for building artificial intelligence applications in JavaScript and TypeScript. According to researchers from JFrog, SafeDep, Socket, and StepSecurity, the breach was executed through a single hijacked npm account (ehindero) that was used to mass-publish malicious packages. This attacker gained unauthorized access to a contributor's account, allowing them to distribute tainted versions of packages that countless developers may have unknowingly integrated into their projects. Organizations utilizing any Mastra framework components should immediately audit their dependencies
Comments (0)
Leave a Comment
No comments yet. Be the first to comment!