On 17 June 2026, attackers compromised a maintainer account associated with the Mastra npm organization and used it to republish 116 packages over a 27-minute period. Rather than modifying Mastra’s source code directly, the threat actor injected a malicious dependency, easy-da...

On 17 June 2026, attackers compromised a maintainer account associated with the Mastra npm organization and used it to republish 116 packages over a 27-minute period. Rather than modifying Mastra’s source code directly, the threat actor injected a malicious dependency, easy-da...

Source: Wiz
Source Link: https://threats.wiz.io/all-incidents/mastra-packages-trojanized-with-malicious-dependency