Mais de 140 pacotes da Mastra no npm, com mais de 28 milhões de downloads mensais, são comprometidos com malware em ataque à cadeia de suprimentos
O script malicioso “easy-day-js”, adicionado pelo invasor como dependência das bibliotecas, coleta histórico do navegador e dados armazenados em mais de 160 extensões de carteiras de criptomoedas, além de chaves de API, tokens do GitHub, NPM e credenciais de provedores de nuvem. Abaixo, há uma lista com as versões infectadas, a maioria já removida do repositório.
| Pacote | Versão |
|---|---|
| @mastra/acp | 0.2.2 |
| @mastra/agent-browser | 0.3.2 |
| @mastra/agent-builder | 1.0.42 |
| @mastra/agentcore | 0.2.2 |
| @mastra/agentfs | 0.1.1 |
| @mastra/ai-sdk | 1.4.6 |
| @mastra/arize | 1.2.3 |
| @mastra/arthur | 0.3.3 |
| @mastra/astra | 1.0.2 |
| @mastra/auth | 1.0.3 |
| @mastra/auth-auth0 | 1.0.2 |
| @mastra/auth-better-auth | 1.0.4 |
| @mastra/auth-clerk | 1.0.3 |
| @mastra/auth-cloud | 1.1.4 |
| @mastra/auth-firebase | 1.0.1 |
| @mastra/auth-okta | 0.0.5 |
| @mastra/auth-studio | 1.2.4 |
| @mastra/auth-supabase | 1.0.2 |
| @mastra/auth-workos | 1.5.3 |
| @mastra/azure | 0.2.3 |
| @mastra/blaxel | 0.4.2 |
| @mastra/braintrust | 1.1.4 |
| @mastra/brightdata | 0.2.2 |
| @mastra/browser-firecrawl | 0.1.1 |
| @mastra/browser-viewer | 0.1.3 |
| @mastra/chroma | 1.0.2 |
| @mastra/claude | 1.0.3 |
| @mastra/clickhouse | 1.10.1 |
| @mastra/client-js | 1.24.1 |
| @mastra/cloud | 0.1.24 |
| @mastra/cloudflare | 1.4.2 |
| @mastra/cloudflare-d1 | 1.0.7 |
| @mastra/codemod | 1.0.4 |
| @mastra/convex | 1.2.2 |
| @mastra/core | 1.42.1 |
| @mastra/couchbase | 1.0.4 |
| @mastra/cursor | 0.2.1 |
| @mastra/dane | 1.0.2 |
| @mastra/datadog | 1.2.5 |
| @mastra/daytona | 0.4.2 |
| @mastra/deployer | 1.42.1 |
| @mastra/deployer-cloud | 1.42.1 |
| @mastra/deployer-cloudflare | 1.1.44 |
| @mastra/deployer-netlify | 1.1.20 |
| @mastra/deployer-vercel | 1.1.38 |
| @mastra/docker | 0.3.1 |
| @mastra/dsql | 1.0.3 |
| @mastra/duckdb | 1.4.3 |
| @mastra/dynamodb | 1.0.9 |
| @mastra/e2b | 0.3.4 |
| @mastra/editor | 0.11.3 |
| @mastra/elasticsearch | 1.2.1 |
| @mastra/engine | 0.1.1 |
| @mastra/evals | 1.3.1 |
| @mastra/express | 1.3.31 |
| @mastra/fastembed | 1.1.3 |
| @mastra/fastify | 1.3.31 |
| @mastra/files-sdk | 0.2.1 |
| @mastra/gcs | 0.2.3 |
| @mastra/github-signals | 0.1.2 |
| @mastra/google-cloud-pubsub | 1.0.6 |
| @mastra/google-drive | 0.1.1 |
| @mastra/hono | 1.4.26 |
| @mastra/inngest | 1.5.2 |
| @mastra/koa | 1.5.14 |
| @mastra/laminar | 1.2.3 |
| @mastra/lance | 1.0.7 |
| @mastra/langfuse | 1.3.6 |
| @mastra/langsmith | 1.2.4 |
| @mastra/libsql | 1.13.1 |
| @mastra/loggers | 1.1.3 |
| @mastra/longmemeval | 1.0.50 |
| @mastra/mcp | 1.10.1 |
| @mastra/mcp-docs-server | 1.1.47 |
| @mastra/mcp-registry-registry | 1.0.2 |
| @mastra/mem0 | 0.1.14 |
| @mastra/memory | 1.20.4 |
| @mastra/modal | 0.2.2 |
| @mastra/mongodb | 1.9.3 |
| @mastra/mssql | 1.3.2 |
| @mastra/mysql | 0.1.1 |
| @mastra/nestjs | 0.1.15 |
| @mastra/node-audio | 0.1.8 |
| @mastra/node-speaker | 0.1.1 |
| @mastra/observability | 1.14.2 |
| @mastra/openai | 1.0.2 |
| @mastra/opencode | 0.0.47 |
| @mastra/opensearch | 1.0.3 |
| @mastra/otel-bridge | 1.2.3 |
| @mastra/otel-exporter | 1.2.3 |
| @mastra/perplexity | 0.1.1 |
| @mastra/pg | 1.13.1 |
| @mastra/pinecone | 1.0.2 |
| @mastra/playground-ui | 33.0.1 |
| @mastra/posthog | 1.0.29 |
| @mastra/qdrant | 1.0.3 |
| @mastra/rag | 2.2.2 |
| @mastra/railway | 0.1.1 |
| @mastra/react | 1.0.1 |
| @mastra/redis | 1.1.3 |
| @mastra/redis-streams | 0.0.4 |
| @mastra/s3 | 0.5.3 |
| @mastra/s3vectors | 1.0.7 |
| @mastra/schema-compat | 1.2.12 |
| @mastra/sentry | 1.1.4 |
| @mastra/server | 2.1.1 |
| @mastra/slack | 1.3.1 |
| @mastra/spanner | 1.1.2 |
| @mastra/speech-azure | 0.2.1 |
| @mastra/speech-elevenlabs | 0.2.1 |
| @mastra/speech-google | 0.2.1 |
| @mastra/speech-ibm | 0.2.1 |
| @mastra/speech-murf | 0.2.1 |
| @mastra/speech-openai | 0.2.1 |
| @mastra/speech-replicate | 0.2.1 |
| @mastra/speech-speechify | 0.2.1 |
| @mastra/stagehand | 0.2.5 |
| @mastra/tavily | 1.0.3 |
| @mastra/temporal | 0.1.14 |
| @mastra/turbopuffer | 1.0.3 |
| @mastra/twilio | 1.0.2 |
| @mastra/upstash | 1.1.3 |
| @mastra/vectorize | 1.0.3 |
| @mastra/vercel | 1.0.1 |
| @mastra/voice-aws-nova-sonic | 0.1.4 |
| @mastra/voice-azure | 0.11.2 |
| @mastra/voice-cloudflare | 0.12.3 |
| @mastra/voice-deepgram | 0.12.2 |
| @mastra/voice-elevenlabs | 0.12.2 |
| @mastra/voice-gladia | 0.12.2 |
| @mastra/voice-google | 0.12.3 |
| @mastra/voice-google-gemini-live | 0.12.2 |
| @mastra/voice-inworld | 0.3.1 |
| @mastra/voice-modelslab | 0.1.2 |
| @mastra/voice-murf | 0.12.3 |
| @mastra/voice-openai | 0.12.3 |
| @mastra/voice-openai-realtime | 0.12.6 |
| @mastra/voice-playai | 0.12.2 |
| @mastra/voice-sarvam | 1.0.2 |
| @mastra/voice-speechify | 0.12.2 |
| @mastra/voice-xai-realtime | 0.1.2 |
| create-mastra | 1.13.1 |
| mastra | 1.13.1 |