SKIP TO CONTENT
All articles
SECURITY ALERT·June 19, 2026·8 MIN READ

Mastra Poisoned 144 AI Dev Packages: What Every Vibe Coder Must Do Now

By EndOfCoding

On June 17, 2026, a supply chain attack hit the AI developer ecosystem directly: 144 packages under the @mastra/* namespace — a widely-used AI agent framework — were poisoned with a malicious postinstall hook that executes on npm install. The packages had 1.1 million combined weekly downloads. CVSS score: 9.8 Critical. If you installed any @mastra/* packages after June 16, your API keys and CI credentials may be compromised. Here's exactly what to do.

What You'll Learn

You'll understand what the Mastra supply chain attack did and why AI developers were specifically targeted, how to check if your projects are affected and what the malicious hook actually executed, the three-stage payload that harvested Anthropic API keys, npm publish tokens, and GitHub Actions credentials, how to immediately rotate credentials and block future postinstall hooks, the broader pattern of monthly AI-developer-targeted supply chain attacks since April 2026, and one config change to protect all future installs.

Step 1: Check if You Installed Affected Packages

The attack window is June 16–17, 2026. Any project that ran npm install with @mastra/* packages in that window is potentially affected.

# Check if @mastra packages are installed
npm ls @mastra 2>/dev/null

# Check install date via package-lock.json metadata
grep -A 3 '"@mastra' package-lock.json | head -40

If you find @mastra/* packages installed or updated on June 16 or 17, proceed to credential rotation immediately.

Step 2: Rotate All Potentially Exposed Credentials

The malicious hook specifically targeted these credentials in the install environment:

Credential Where to Rotate Priority
ANTHROPIC_API_KEY console.anthropic.com → API Keys URGENT
OPENAI_API_KEY platform.openai.com → API keys URGENT
NPM_TOKEN npmjs.com → Access Tokens URGENT
GITHUB_TOKEN / GH_TOKEN github.com/settings/tokens HIGH
AWS/GCP/Azure credentials Your cloud console → IAM HIGH

Rotate all of these even if you're not 100% certain you were affected. The cost of rotating is minutes; the cost of a compromised API key is unbounded.

Step 3: Block Postinstall Hooks on Future Installs

This is the one config change that prevents this entire class of attack:

# Disable all package lifecycle scripts during install
npm config set ignore-scripts true

# Or set per-project in .npmrc
echo 'ignore-scripts=true' >> .npmrc

For CI pipelines:

# GitHub Actions — add to your npm install step
- name: Install dependencies
  run: npm install --ignore-scripts

Note: Some packages legitimately need postinstall (native add-ons, Prisma generators). After blocking globally, re-enable only for packages you've explicitly audited.

Step 4: Audit Any Projects That May Have Been Affected

# Find all postinstall hooks in your node_modules (review each one)
find node_modules -name 'package.json' -exec grep -l 'postinstall' {} \; 2>/dev/null

# Check for the specific malicious domain in network logs
grep 'mastra-pkg.io' /var/log/*.log 2>/dev/null

The malicious telemetry endpoint was telemetry-cdn.mastra-pkg.ionot the legitimate mastra.ai domain. If this appears in your network logs, credentials were exfiltrated.

Step 5: Add Supply Chain Checks to Your AI Project Workflow

CyberOS tracks this as pattern CYBEROS-2026-005 (Suspicious npm postinstall Hook). The flags that should trigger manual review before install:

  • Postinstall hook making outbound HTTP/HTTPS requests
  • Postinstall hook reading environment variables beyond NODE_ENV
  • Package published within 24 hours of a high-profile vulnerability announcement
  • Namespace not matching the expected GitHub organization

Add this to your project setup checklist:

## Security Pre-Install Checklist
- [ ] Check npm audit output
- [ ] Review new package postinstall hooks: cat node_modules/[pkg]/package.json | grep scripts
- [ ] Verify package publish date is consistent with version history
- [ ] Confirm package integrity hash matches GitHub release tag

Common Challenges

'I installed @mastra packages but not between June 16-17 — am I safe?' — If you installed @mastra packages before June 16, you are likely safe from this specific attack. But the attack demonstrates the category of risk: run npm audit on your project and review any postinstall hooks in recently-added packages. 'I don't use Mastra but use other AI frameworks — should I be worried?' — Yes. The Mastra attack is the third in a monthly series targeting AI developers: CanisterSprawl (April), TanStack Shai Hulud (May), Mastra (June). Any widely-used AI developer package is a potential target. Treat npm install --ignore-scripts as your default for all AI projects. 'Does npm audit catch supply chain poisoning?' — Only partially. npm audit checks for known CVEs in packages. Supply chain poisoning (malicious code injected into new package versions) often passes audit clean because the CVE hasn't been assigned yet. This is why postinstall hook review is a separate step.

Advanced Tips

Set up automated postinstall hook monitoring in your CI pipeline using npm-audit-resolver or a custom script that diffs the scripts section of all installed packages against a known-good baseline. This turns a manual review step into an automated gate. For teams managing multiple projects, consider a private npm registry (Verdaccio, Artifactory) with a manual approval step for new or updated packages — this is now standard practice at security-conscious AI companies. The Perplexity Brain memory system approach (released June 2026) is worth applying here: build a project-specific memory of 'approved packages + their expected postinstall hooks' that an agent checks before each install. One agent verifying your deps before every install is exactly the kind of overnight synthesis that prevents the next Mastra.

Conclusion

The Mastra supply chain attack is the clearest evidence yet that AI developers are an explicit, high-value target for supply chain attackers. The monthly cadence — CanisterSprawl, TanStack Shai Hulud, Mastra — is not coincidental. Your npm install now carries real credential exfiltration risk if you have AI API keys in scope. The mitigation is not complex: npm install --ignore-scripts plus credential rotation on detection. For comprehensive supply chain security guidance, CyberOS's pattern database covers all three attacks in the 2026 series at cyberos.dev. For the full security playbook for AI-generated code, Chapter 19 of the Vibe Coding Ebook walks through every layer from dependency auditing to deployment hardening.

Build Blueprint · Creator

Have an idea? Get the spec your AI agent can build from.

Describe any product and get a complete build blueprint — stack, data model, screens, APIs, and a ready-to-paste prompt for Claude Code or Cursor. Export to PDF.

Open the Blueprint