A security incident involving the Mastra npm package scope showed how stale publishing access can turn a package namespace into a supply-chain risk [S1]. Public incident reporting said Mastra source code was not the place where the malicious change was introduced; the issue appeared in republished npm artifacts through an injected easy-day-js dependency, and Mastra forward-rolled clean package releases as part of remediation [S1][S2].
Impact
A compromised npm publisher can republish trusted packages so that downstream installs pull unexpected code during dependency installation [S1]. For AI development frameworks, that can put developer workstations, CI runners, deployment secrets, LLM provider keys, npm tokens, GitHub tokens, cloud credentials, and other install-time secrets at risk if an affected dependency was installed on a host where those secrets were reachable [S1]. Repository evidence alone does not prove that any host installed the affected package or that credentials were stolen.
Root Cause
The reported root cause was stale npm publishing access that remained available after a contributor was no longer actively maintaining the project [S1]. Scope-level package publishing rights are high-impact because one account can affect many packages in the namespace. Mastra's remediation work removed unauthorized owners, rotated publishing credentials, and published clean forward-rolled releases [S2].
Covered by FixVibe
FixVibe GitHub repo scans can now flag manifest and lockfile evidence for easy-day-js versions associated with this incident [S1][S3]. The finding is repository dependency evidence: it points teams to the exact package source or lockfile location that needs cleanup, records confidence, and recommends clean dependency regeneration and credential-impact review.
FixVibe does not verify stale npm or GitHub owner access for the scanned project, read npm scope permission lists, audit maintainer inactivity, run npm install, execute package lifecycle scripts, download tarballs, inspect developer or CI hosts, contact attacker infrastructure, review network logs, or claim credential theft, wallet theft, persistence, or production compromise. Those questions require authorized registry/org review and host-level investigation outside a static repo scan.
Remediation
Remove easy-day-js from package manifests and active npm, pnpm, or Yarn lockfiles. Update any Mastra dependencies to clean forward-rolled releases, regenerate the lockfile from a trusted registry state, rebuild CI/development/runtime images that may have installed dependencies, and rerun the FixVibe GitHub repo scan.
If an affected dependency may have installed on developer workstations or CI runners, rotate npm tokens, GitHub tokens, LLM provider keys, cloud credentials, SSH keys, deployment secrets, and other credentials available to those hosts. Review dependency-install and egress logs for the incident window, and separately audit npm/GitHub publishing permissions so inactive high-privilege accounts are removed.