144 Mastra npm Packages Compromised via Hijacked Contributor Account
The Mastra npm package ecosystem suffered a supply chain attack after a contributor account was hijacked. The attacker published malicious versions of 144 packages, which were designed to exfiltrate sensitive data such as credentials and environment variables. The compromised packages were available on the npm registry for an unspecified period before the incident was detected. The Mastra team has since revoked the hijacked account's access and removed the malicious versions. Users are advised to rotate any credentials that may have been exposed. The attack highlights the ongoing risk of account hijacking in open-source ecosystems.
// why it matters
Compromised npm packages can lead to credential theft and supply chain attacks in developer environments.