Mastra Poisoned 144 AI Dev Packages: What Every Vibe Coder Must Do Now
By EndOfCoding
On June 17, 2026, a supply chain attack hit the AI developer ecosystem directly: 144 packages under the @mastra/* namespace — a widely-used AI agent framework — were poisoned with a malicious postinstall hook that executes on npm install. The packages had 1.1 million combined weekly downloads. CVSS score: 9.8 Critical. If you installed any @mastra/* packages after June 16, your API keys and CI credentials may be compromised. Here's exactly what to do.
What You'll Learn
You'll understand what the Mastra supply chain attack did and why AI developers were specifically targeted, how to check if your projects are affected and what the malicious hook actually executed, the three-stage payload that harvested Anthropic API keys, npm publish tokens, and GitHub Actions credentials, how to immediately rotate credentials and block future postinstall hooks, the broader pattern of monthly AI-developer-targeted supply chain attacks since April 2026, and one config change to protect all future installs.
Step 1: Check if You Installed Affected Packages
The attack window is June 16–17, 2026. Any project that ran npm install with @mastra/* packages in that window is potentially affected.
# Check if @mastra packages are installed
npm ls @mastra 2>/dev/null
# Check install date via package-lock.json metadata
grep -A 3 '"@mastra' package-lock.json | head -40
If you find @mastra/* packages installed or updated on June 16 or 17, proceed to credential rotation immediately.
Step 2: Rotate All Potentially Exposed Credentials
The malicious hook specifically targeted these credentials in the install environment:
| Credential | Where to Rotate | Priority |
|---|---|---|
ANTHROPIC_API_KEY |
console.anthropic.com → API Keys | URGENT |
OPENAI_API_KEY |
platform.openai.com → API keys | URGENT |
NPM_TOKEN |
npmjs.com → Access Tokens | URGENT |
GITHUB_TOKEN / GH_TOKEN |
github.com/settings/tokens | HIGH |
| AWS/GCP/Azure credentials | Your cloud console → IAM | HIGH |
Rotate all of these even if you're not 100% certain you were affected. The cost of rotating is minutes; the cost of a compromised API key is unbounded.
Step 3: Block Postinstall Hooks on Future Installs
This is the one config change that prevents this entire class of attack:
# Disable all package lifecycle scripts during install
npm config set ignore-scripts true
# Or set per-project in .npmrc
echo 'ignore-scripts=true' >> .npmrc
For CI pipelines:
# GitHub Actions — add to your npm install step
- name: Install dependencies
run: npm install --ignore-scripts
Note: Some packages legitimately need postinstall (native add-ons, Prisma generators). After blocking globally, re-enable only for packages you've explicitly audited.
Step 4: Audit Any Projects That May Have Been Affected
# Find all postinstall hooks in your node_modules (review each one)
find node_modules -name 'package.json' -exec grep -l 'postinstall' {} \; 2>/dev/null
# Check for the specific malicious domain in network logs
grep 'mastra-pkg.io' /var/log/*.log 2>/dev/null
The malicious telemetry endpoint was telemetry-cdn.mastra-pkg.io — not the legitimate mastra.ai domain. If this appears in your network logs, credentials were exfiltrated.
Step 5: Add Supply Chain Checks to Your AI Project Workflow
CyberOS tracks this as pattern CYBEROS-2026-005 (Suspicious npm postinstall Hook). The flags that should trigger manual review before install:
- Postinstall hook making outbound HTTP/HTTPS requests
- Postinstall hook reading environment variables beyond
NODE_ENV - Package published within 24 hours of a high-profile vulnerability announcement
- Namespace not matching the expected GitHub organization
Add this to your project setup checklist:
## Security Pre-Install Checklist
- [ ] Check npm audit output
- [ ] Review new package postinstall hooks: cat node_modules/[pkg]/package.json | grep scripts
- [ ] Verify package publish date is consistent with version history
- [ ] Confirm package integrity hash matches GitHub release tag
Common Challenges
'I installed @mastra packages but not between June 16-17 — am I safe?' — If you installed @mastra packages before June 16, you are likely safe from this specific attack. But the attack demonstrates the category of risk: run npm audit on your project and review any postinstall hooks in recently-added packages. 'I don't use Mastra but use other AI frameworks — should I be worried?' — Yes. The Mastra attack is the third in a monthly series targeting AI developers: CanisterSprawl (April), TanStack Shai Hulud (May), Mastra (June). Any widely-used AI developer package is a potential target. Treat npm install --ignore-scripts as your default for all AI projects. 'Does npm audit catch supply chain poisoning?' — Only partially. npm audit checks for known CVEs in packages. Supply chain poisoning (malicious code injected into new package versions) often passes audit clean because the CVE hasn't been assigned yet. This is why postinstall hook review is a separate step.
Advanced Tips
Set up automated postinstall hook monitoring in your CI pipeline using npm-audit-resolver or a custom script that diffs the scripts section of all installed packages against a known-good baseline. This turns a manual review step into an automated gate. For teams managing multiple projects, consider a private npm registry (Verdaccio, Artifactory) with a manual approval step for new or updated packages — this is now standard practice at security-conscious AI companies. The Perplexity Brain memory system approach (released June 2026) is worth applying here: build a project-specific memory of 'approved packages + their expected postinstall hooks' that an agent checks before each install. One agent verifying your deps before every install is exactly the kind of overnight synthesis that prevents the next Mastra.
Conclusion
The Mastra supply chain attack is the clearest evidence yet that AI developers are an explicit, high-value target for supply chain attackers. The monthly cadence — CanisterSprawl, TanStack Shai Hulud, Mastra — is not coincidental. Your npm install now carries real credential exfiltration risk if you have AI API keys in scope. The mitigation is not complex: npm install --ignore-scripts plus credential rotation on detection. For comprehensive supply chain security guidance, CyberOS's pattern database covers all three attacks in the 2026 series at cyberos.dev. For the full security playbook for AI-generated code, Chapter 19 of the Vibe Coding Ebook walks through every layer from dependency auditing to deployment hardening.
Build Blueprint · Creator
Have an idea? Get the spec your AI agent can build from.
Describe any product and get a complete build blueprint — stack, data model, screens, APIs, and a ready-to-paste prompt for Claude Code or Cursor. Export to PDF.
Open the Blueprint ▸