On June 17th, an attacker compromised 141 Mastra npm packages, infecting them with malware.
-
A supply chain attack compromised 141 Mastra npm packages after a trusted contributor account was taken over.
-
Attackers used a fake dependency that looked legitimate and worked normally at first, making the malicious update harder for developers to spot.
-
A later version installed infostealing malware automatically when affected packages were downloaded, putting developers’ systems at risk.
-
The malware searched for cryptocurrency wallet data, browser extensions, and files that could contain login credentials.
-
Users are advised to remove affected versions, delete node_modules, reinstall safe older versions, use lockfiles, and check published indicators of compromise.
According to several cybersecurity firms, the attack began after the npm account of Mastra contributor “ehindero” was compromised.
Instead of changing Mastra’s code, the attackers swapped out one of its software components for a fake version or “phantom dependency” they controlled. This fake package looked like the real deal and functioned properly at first, making it less likely to raise suspicion.
However, a later update added infostealing malware that ran automatically when the package was installed. Anyone who downloaded the affected versions may have unknowingly installed this malicious software on their computer.
The malicious code was designed to search developers’ computers for sensitive information, such as cryptocurrency wallet data, browser extensions, and files containing login credentials. The campaign focused on stealing digital assets rather than disrupting systems, security researchers say.
Because a trusted account was used to add malicious components to Mastra’s npm packages, developers never thought of reviewing the update, giving every opportunity for the malware to spread quickly.
Cybersecurity firm Socket recommends that users remove the affected versions, delete node_modules, and reinstall a prior version. The company says that customers are protected automatically because the infected npm packages are flagged and blocked before the malware is executed.
As a precaution, owners of so-called high-value cryptocurrency wallets are advised to transfer their money to a new wallet.
StepSecurity, JFrog, and Microsoft have also analyzed the supply chain attack and came up with Indicators of Compromise (IoC) that allow organizations and developers to see if their systems have been compromised.
Microsoft recommends downgrading to older versions of the packages immediately and using lockfiles.
Software supply chain attacks like this have become increasingly common. Rather than attacking companies directly, hackers compromise widely used software or developer accounts, allowing them to reach many victims through routine software updates.
Unlock more exclusive Cybernews content on YouTube
Your email address will not be published. Required fields are markedmarked