THREATOPS
THREAT OPSThreat News › A Forgotten Contributor Account Compromised the Entire Mastra npm Package Scope

A Forgotten Contributor Account Compromised the Entire Mastra npm Package Scope

lowsnykPublished 2026-06-16

A dormant contributor account was used to republish the entire @mastra npm scope, each injected with a single dependency, easy-day-js, that drops a cross-platform cryptocurrency stealer. Here is how the attack worked, how to check exposure, and how to remediate.

Original source: https://snyk.io/blog/a-forgotten-contributor-account-compromised-the-entire-mastra-npm-package-scope/