Your AI agent framework was backdoored overnight. 144 packages. 1.1 million weekly downloads. The attack started with a dormant account.
Your AI agent framework was backdoored overnight. 144 packages. 1.1 million weekly downloads. The attack started with a dormant account.
Here is what happened — and what it means for your development team.
Mastra is the dominant JavaScript/TypeScript framework for building AI agents. On June 16, an attacker hijacked “ehindero” — a real former Mastra contributor whose npm account went dormant in early 2025. His publish rights to the entire @mastra scope were never revoked.
First, the attacker published a clean, fully functional version of easy-day-js — a convincing copy of the popular dayjs library. No malicious code. Just credibility-building. That sat live for 18 hours.
Then at 01:01 UTC June 17, the same package received a silent update: an obfuscated postinstall hook that downloads a second-stage payload and self-deletes. Within 84 minutes, all 144 packages in the @mastra scope were republished with this poisoned dependency injected.
The payload is a cross-platform infostealer. It goes after developer credentials, cloud API tokens, browser session data, and cryptocurrency wallets. Mastra pipelines connect to production databases and internal APIs. The credentials at risk were not just dev machine credentials.
Exposure window: approximately 4 hours before npm removed the packages.
The uncomfortable part: this was not a sophisticated zero-day. It was an access lifecycle failure. One account. Never cleaned up. 18 months of dormancy. Full scope access retained.
Three things to check now:
Audit your npm organisation’s contributor list. Remove anyone who hasn’t published in 6 months. Check CI/CD pipeline logs for any @mastra/* install between June 17 00:00–06:00 UTC. Rotate any credentials that ran through a Mastra-dependent pipeline in that window.
This is the 14th confirmed supply chain attack on developer tooling in 2026. The attack surface has converged on AI-native development frameworks. If your team builds AI agents, your dependency tree is now a threat surface your security team hasn’t mapped yet.
Links for a deeper technical dive are in the comments.
For those who want a deeper dive into this topic:
