ai frameworks

Jun 18, 2026 5 min read

Mastra Supply Chain Attack Backdoors 144 AI Framework npm Packages

An attacker compromised a stale npm contributor account on June 17, 2026 and republished 144 packages in the @mastra scope with a malicious typosquatted dependency that installs a cryptocurrency-stealing RAT. Developers building AI applications with Mastra's 1.1 million weekly downloads should rotate all credentials immediately.