144 Mastra npm Packages Compromised via Hijacked Contributor Account

144 npm packages within the Mastra namespace (@mastra/*) were compromised on March 15, 2024, due to a software supply chain attack identified as easy-day-js. This attack targeted a single npm account, ehindero, which was used to mass-publish malicious code across these packages. Mastra is a widely used open-source framework for developing artificial intelligence (AI) applications using JavaScript and TypeScript. Security researchers from JFrog, SafeDep, Socket, and StepSecurity collaborated to uncover the extent of the compromise. The malicious code injected into the packages was designed to steal environment variables and potentially execute arbitrary commands on developer systems. Initial analysis by JFrog indicated that the compromised packages were downloaded over 300,000 times. The attackers leveraged a technique that involved subtly altering the package code to include malicious functionality without immediately raising suspicion. This incident highlights the ongoing risks associated with open-source software supply chains and the importance of robust security measures for package managers like npm. Developers using packages from the Mastra namespace are advised to review their dependencies and audit their systems for any signs of compromise. The investigation into the full impact and the perpetrators behind the easy-day-js attack is ongoing.