cd /news/ai-tools/multiple-mastra-npm-packages-comprom… · home topics ai-tools article
[ARTICLE · art-30397] src=github.com ↗ pub= topic=ai-tools verified=true sentiment=↓ negative

Multiple mastra NPM packages compromised

The StepSecurity Threat Intelligence Team has identified that multiple @mastra npm packages have been compromised. The security breach was disclosed in a GitHub issue on the mastra-ai/mastra repository, with the team detailing the attack in a blog post. The incident poses a high-impact security risk to users of the affected packages.

read1 min views1 publishedJun 17, 2026 
[Notifications](/login?return_to=%2Fmastra-ai%2Fmastra)You must be signed in to change notification settings -
[Fork 2.2k](/login?return_to=%2Fmastra-ai%2Fmastra)

Copy link

Copy link

Open

Labels

dependenciesPull requests that update a dependency filePull requests that update a dependency file

[effort:high](https://github.com/mastra-ai/mastra/issues?q=state%3Aopen%20label%3A%22effort%3Ahigh%22)

[impact:high](https://github.com/mastra-ai/mastra/issues?q=state%3Aopen%20label%3A%22impact%3Ahigh%22)

[security](https://github.com/mastra-ai/mastra/issues?q=state%3Aopen%20label%3A%22security%22)

[status: needs triage](https://github.com/mastra-ai/mastra/issues?q=state%3Aopen%20label%3A%22status%3A%20needs%20triage%22)

[trio-wp](https://github.com/mastra-ai/mastra/issues?q=state%3Aopen%20label%3A%22trio-wp%22)

Description #

Summary #

The StepSecurity Threat Intelligence Team has identified that multiple mastra npm packages have been compromised.

https://www.stepsecurity.io/blog/mastra-npm-packages-compromised-using-easy-day-js StepSecurity Threat Intelligence Team.

Reactions are currently unavailable

Metadata #

Metadata #

Assignees

Labels

dependenciesPull requests that update a dependency filePull requests that update a dependency file

[effort:high](https://github.com/mastra-ai/mastra/issues?q=state%3Aopen%20label%3A%22effort%3Ahigh%22)

[impact:high](https://github.com/mastra-ai/mastra/issues?q=state%3Aopen%20label%3A%22impact%3Ahigh%22)

[security](https://github.com/mastra-ai/mastra/issues?q=state%3Aopen%20label%3A%22security%22)

[status: needs triage](https://github.com/mastra-ai/mastra/issues?q=state%3Aopen%20label%3A%22status%3A%20needs%20triage%22)

[trio-wp](https://github.com/mastra-ai/mastra/issues?q=state%3Aopen%20label%3A%22trio-wp%22)

Type

Fields

Give feedback No fields configured for issues without a type.

source & further reading
github.com — original article
── more in #ai-tools 4 stories · sorted by recency
── more on @stepsecurity 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/multiple-mastra-npm-…] indexed:0 read:1min 2026-06-17 ·