New Blog: Mastra npm Scope Takeover: 141 Packages Drop a RAT
Edit Calendar Icon 17 Jun 2026
SafeDep Logo

Provenance Attestation Drop

discovered 2026-06-17

Legitimate @mastra releases publish via npm OIDC trusted publisher with SLSA provenance/attestations; malicious versions were published from a personal token with dist.attestations=null. The missing attestation (baseline @mastra/[email protected] OIDC vs 1.42.1 ehindero) is the primary compromise signal.

Seen in packages

Campaigns