Researchers from JFrog, SafeDep, Socket, and StepSecurity have identified a large-scale software supply chain attack targeting the Mastra open-source JavaScript and TypeScript framework. The incident, tracked internally as "easy-day-js," saw 144 npm packages under the @mastra/* namespace compromised via a single npm account named "ehindero." Mastra is widely used for building artificial intelligence applications, raising concerns about downstream impacts on AI projects.

The exact severity of the compromise remains under investigation, but the volume of affected packages underscores the scale of the breach. According to the security researchers, the attack leverages a hijacked contributor account to mass-publish malicious versions. No CVSS score or specific exploit timeline has been publicly disclosed yet, though the active tampering of a popular AI framework elevates risk for developers relying on the Mastra ecosystem.

Technical details point to a supply chain injection mechanism, where the attacker used the compromised ehindero account to upload altered package versions. Indicators of compromise are still being analyzed, but the researchers urge developers to audit any @mastra/* dependencies pulled since the account's compromise. The attack vector hinges on credential theft rather than a zero-day vulnerability in the registry itself.

Mitigation steps include rolling back to verified package versions and scrutinizing recent updates from the Mastra namespace. While no official patch has been released, maintainers are likely working to revoke the attacker's access and purge malicious releases. Developers are advised to check their lock files for any compromised hashes and treat this as a high-priority incident until further notice.

Attribution for the attack remains unclear, with no group claiming responsibility. The incident joins a growing list of supply chain attacks targeting open-source ecosystems, particularly those tied to AI and machine learning frameworks, where trust in package integrity is paramount.