Security researchers have uncovered a concerning software supply chain attack targeting the popular JavaScript ecosystem, with 144 npm packages associated with the Mastra framework compromised in a single coordinated incident. This significant breach underscores the persistent vulnerabilities in open-source package management systems and highlights the growing sophistication of attacks targeting development infrastructure.
The attack, codenamed "easy-day-js," specifically targeted the Mastra namespace ("@mastra/*"), which is widely used for building artificial intelligence applications in JavaScript and TypeScript. According to researchers from JFrog, SafeDep, Socket, and StepSecurity, the breach was executed through a single hijacked npm account (ehindero) that was used to mass-publish malicious packages. This attacker gained unauthorized access to a contributor's account, allowing them to distribute tainted versions of packages that countless developers may have unknowingly integrated into their projects. Organizations utilizing any Mastra framework components should immediately audit their dependencies