Attacker hijacked maintainer credentials and injected typosquatted dependency (easy-day-js) into every Mastra package as a single line change, bypassing surface-level scanners.
Summary
Supply chain compromise at scale: 28 million monthly downloads across poisoned packages means dependency injection likely reached production builds. The attack pattern—clean carrier packages, malicious payload one level down—exposes gaps in automated scanning that only inspects direct package code.
Why it matters
Supply chain compromise at scale: 28 million monthly downloads across poisoned packages means dependency injection likely reached production builds. The attack pattern—clean carrier packages, malicious payload one level down—exposes gaps in automated scanning that only inspects direct package code.
Implementation verdict
Immediate action required: pin all Mastra packages to last provenance-backed releases before the 2026-06-17 malicious versions. Audit build logs for easy-day-js installs between 01:01–01:37 UTC (typosquat landed 11 minutes before sweep). This replaces trust in maintainer accounts; requires strict dependency pinning, postinstall hook auditing, and consideration of lock-file verification in CI. Not safe to use now without explicit version locks.
Sources
Dev Signal
Get briefs like this in your inbox — free, every weekday.
100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.