VYPR

npm · Malicious package advisory

Malware

create-mastra

MAL-2026-6050

Malicious code in create-mastra (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4da726670223ca28536bc00f5e68f94f22591bdecdb38dd94e5e873fce0afcf2)
create-mastra is the Mastra framework's project scaffolder, distributed as a bundled CLI. The flagged signals are generic occurrences of the literal string 'POST' across the minified dist/index.js (lines 245-247, 679, 16066) without corroborating evidence of a hardcoded attacker C2 endpoint, install-time exfiltration, or credential harvest. No install/postinstall lifecycle hooks were identified that would auto-execute network behavior on `npm install`. Keyword co-occurrence in a minified rollup bundle is the weakest evidence shape and is consistent with normal HTTP client code in a CLI scaffolder. Routing for human review to confirm the destinations of those POST calls are documented Mastra endpoints rather than attacker infrastructure.

## Source: ghsa-malware (12df16ee90f6c59f31e4b0b71f2dbf3a0b046e17ecae5e13399b69fec9f3c563)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Compromised versions (1)

  • 1.13.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.