AIThe Hacker Newsabout 7 hours ago

144 Mastra npm Packages Compromised via Hijacked Contributor Account

1 min read

A single npm account (ehindero) published 140+ malicious packages across the Mastra scope on June 17, 2026. The packages add a dependency called easy-day-js, a cloned dayjs library that downloads a cross-platform information stealer targeting browser history and 160+ cryptocurrency wallet extensions.

Level

Hype check

Tap to vote and see what everyone thinks.

#npm #supply chain #mastra

Malicious JetBrains Marketplace plugins steal AI API keys from developers

144 Mastra npm Packages Compromised via Hijacked Contributor Account

More to chew on!

More to chew on!