Over 140 popular Mastra npm Packages Hit by Supply Chain Attack

June 17, 2026

The open-source software ecosystem suffered a massive blow as a coordinated supply chain attack simultaneously compromised over 140 popular npm packages tied to the Mastra framework. The threat actors successfully injected a malicious dependency directly into the core installation frameworks. This dependency is designed to trigger automatically at install time, executing a silent download of a secondary stage payload. Because this occurs right during the npm install phase, developer workstations and automated build agents are exposed to immediate code execution risks before any application code is even run.Mitigation necessitates an immediate freeze on all Mastra-related package updates across local environments and production build containers. Developers must check lockfiles for unauthorized dependencies, purge local node_modules caches, and pull clean, verified versions issued by the package maintainers. Implementing strict network boundaries that block arbitrary external script fetching during build execution is highly recommended.If you need expert assistance in identifying compromised packages, securing your CI/CD pipelines, or conducting an emergency supply chain audit, contact Cyberlinx today to protect your development environment.

Table of Contents
Resource Type
Threat Intel
Category
DevSecOps
Written by
Cyberlinx Research Team
Offensive Security Research Team
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?