Mastra npm Scope Takeover — 143 AI Agent Framework Packages Backdoored with RAT via Hijacked Contributor Account

On June 17, 2026 (01:12–02:36 UTC), an attacker abusing a dormant former-contributor npm account ('ehindero', ~16 months inactive with scope access never revoked) republished 141–143 packages in the @mastra npm scope — including @mastra/core, mastra, and create-mastra — each with a single new dependency injected: easy-day-js. This package was a malicious clone of the popular dayjs date library: the clean version (1.11.21) was published a day earlier as cover; the malicious version (1.11.22) followed, and the @mastra packages referenced ^1.11.21, causing npm's caret-range resolution to silently pull in 1.11.22. The malicious install hook downloaded and ran a cryptocurrency-stealing remote access trojan (RAT) on any machine that ran npm install. npm pulled the malicious package versions after detection; Mastra revoked the hijacked account and published clean forward-rolled releases.

Mastra is a widely used open-source AI agent framework for building LLM-powered applications in JavaScript/TypeScript. Compromising @mastra/core and the parent mastra package gives attackers code execution on every developer workstation and CI runner that installs the framework. The attack technique — stale contributor access + typosquatted transitive dependency + caret-range auto-upgrade — requires no vulnerability in npm itself and is replicable against any AI framework ecosystem with similar access hygiene gaps.

Attacker hijacks a stale npm contributor account with retained scope publish rights, republishes 143 packages with an injected malicious transitive dependency that drops a RAT on npm install via postinstall hook

@mastra npm scope packages (143 packages including @mastra/core, mastra, create-mastra) — malicious versions published June 17, 2026; easy-day-js@1.11.22 (malicious dependency)

Upgrade all @mastra packages to the clean forward-rolled versions published after June 17, 2026; audit developer machines and CI runners that ran npm install during the compromise window for RAT persistence; revoke and rotate all credentials and tokens on affected machines. See SafeDep analysis: https://safedep.io/mastra-npm-scope-takeover-supply-chain-attack