𝟭𝟰𝟰 𝗠𝗮𝘀𝘁𝗿𝗮 𝗡𝗽𝗺 𝗣𝗮𝗰𝗸𝗮𝗴𝗲𝘀 𝗖𝗼𝗺𝗽𝗿𝗼𝗺𝗶𝘀𝗲𝗱
A major supply chain attack hit the JavaScript ecosystem. Attackers hijacked an npm contributor account named ehindero. They used this access to publish malicious updates to 144 packages under the @mastra namespace.
Mastra is a popular framework for building AI applications. This breach puts AI products at high risk.
How the attack worked:
- Attackers stole credentials or used phishing to take over a contributor account.
- They bypassed code reviews by using legitimate account permissions.
- They published poisoned code directly to trusted libraries.
- Downstream users automatically pulled this malicious code during installs or upgrades.
Risks for your AI applications:
- Theft of API keys and sensitive credentials.
- Changes to AI model behavior to produce unsafe outputs.
- Malicious code running in your CI/CD pipelines or cloud environments.
What you must do now:
- Audit your dependencies. Run npm ls | grep "@mastra/" to find affected packages.
- Check for known vulnerabilities. Use npm audit or third-party scanners.
- Pin your versions. Do not use wildcards. Force your package.json to use a known safe version.
- Remove compromised packages immediately.
Security in open source relies on account safety. One compromised account can poison thousands of projects. Protect your supply chain by enforcing multi-factor authentication and running regular dependency audits.
Check your dependencies today.
Optional learning community: https://t.me/GyaanSetuAi