On June 17, 2026, attackers hijacked a dormant Mastra contributor npm account and published malicious versions of 144 @mastra/* packages within 88 minutes, injecting a cross-platform credential and cryptocurrency-stealing payload via the ‘easy-day-js’ dependency. Any development environment, CI/CD pipeline, or build runner that installed affected @mastra/* versions during the compromise window must be treated as fully compromised, with all stored credentials, API keys, and cloud access requiring immediate rotation.