Mastra npm scope hijacked: 144 AI-framework packages backdoored (easy-day-js)
A hijacked contributor account was used to republish 144 packages in the popular @mastra AI-agent npm scope with a malicious typosquatted dependency, easy-day-js, that pulled down a cross-platform remote-access trojan and cryptocurrency stealer onto any developer machine or build system that installed them.
- Victim
- Mastra (@mastra npm scope)