npm: 40 Malicious @mastra/ Packages Disclosed in Coordinated Takedown

Key findings

All 40 malicious packages share the @mastra/ npm scope — a single-organization campaign
Every advisory was published within a 7-minute window (05:05–05:12 UTC) on 2026-06-17
Affected packages span voice, cloud, agent-runtime, MCP, and utility integrations
The most-downloaded compromised package, @mastra/voice-openai, draws ~13k weekly downloads
All advisories carry Critical severity — full system compromise, rotate all secrets
The campaign targets AI/ML developer tooling, harvesting cloud API keys and environment secrets

On June 17, 2026, 40 malicious packages were disclosed on the npm registry within a two-hour window, all sharing a single campaign signature: the @mastra/ npm scope. Every package in the burst belongs to the @mastra organization — a legitimate open-source TypeScript framework for building AI agents — and each was published as a compromised version of an existing, previously benign @mastra/ integration package. The advisories landed between 05:05 and 05:12 UTC, a tight seven-minute window that signals a coordinated takedown by the security team or registry operators.

The campaign is unmistakable: all 40 packages live under the @mastra/ scope and span the full breadth of the Mastra ecosystem — voice providers (@mastra/voice-openai, @mastra/voice-elevenlabs, @mastra/voice-deepgram, @mastra/voice-google, @mastra/voice-google-gemini-live, @mastra/voice-openai-realtime, @mastra/voice-aws-nova-sonic), cloud integrations (@mastra/gcs, @mastra/google-cloud-pubsub), agent runtimes (@mastra/e2b, @mastra/daytona, @mastra/blaxel, @mastra/temporal), MCP tooling (@mastra/mcp-registry-registry, @mastra/arize, @mastra/stagehand, @mastra/tavily), and developer utilities (@mastra/agent-builder, @mastra/agent-browser, @mastra/longmemeval). The naming pattern is not typosquatting — these are the real, established package names, each with months to over a year of publication history and thousands of weekly downloads.

This is not a fresh-account typosquatting operation. The affected packages were first published across a wide span: some as early as February 2025 (@mastra/voice-openai, @mastra/voice-deepgram, @mastra/voice-elevenlabs, all ~1.3 years old), others in mid-2025 (@mastra/voice-google-gemini-live, @mastra/google-cloud-pubsub), and a few as recently as early 2026 (@mastra/gcs, @mastra/e2b, both ~4 months old). The malicious versions themselves are recent — version numbers like 0.12.2, 0.12.3, 0.12.6, 1.0.42, 1.0.50, 0.2.5, 0.3.4 — suggesting a single compromised publish event across the entire scope rather than a long-running infiltration. The most heavily downloaded packages in the burst include @mastra/voice-openai (13k/week, 39k/month), @mastra/voice-openai-realtime (12k/week, 37k/month), @mastra/voice-google-gemini-live (9.7k/week, 27k/month), and @mastra/arize (9k/week, 26k/month).

The behavioral findings across the OSSF Package Analysis reports are consistent with a supply-chain compromise aimed at credential and environment exfiltration. The malware communicates with command-and-control infrastructure, executes commands in the post-install lifecycle, and exfiltrates environment variables — including API keys, tokens, and cloud credentials. Specific IOCs extracted from the package analysis include domains associated with malicious activity that appear across multiple packages in the burst. The pattern is uniform: every package in the @mastra/ scope that received a version bump in this window exhibits the same malicious behavior signature.

The severity is uniformly rated Critical across all 20 GHSA advisories. The standard guidance applies with full force here: any computer that installed one of these compromised versions should be considered fully compromised. The @mastra/ packages are integration wrappers for cloud services — they handle Google Cloud credentials, OpenAI API keys, ElevenLabs tokens, Deepgram secrets, AWS credentials, and Temporal connection strings. A compromised version of any of these packages would have access to the full set of environment variables in the developer's CI/CD pipeline, local workstation, or production deployment. The blast radius extends to every secret accessible to the process that ran npm install.

Developers should immediately audit their package-lock.json and node_modules for any of the affected package names and versions. The complete list spans 40 packages; a representative subset includes @mastra/voice-openai (0.12.3), @mastra/voice-openai-realtime (0.12.6), @mastra/voice-elevenlabs (0.12.2), @mastra/voice-deepgram (0.12.2), @mastra/voice-google (0.12.3), @mastra/voice-google-gemini-live (0.12.2), @mastra/voice-aws-nova-sonic (0.1.4), @mastra/gcs (0.2.3), @mastra/google-cloud-pubsub (1.0.6), @mastra/e2b (0.3.4), @mastra/daytona (0.4.2), @mastra/blaxel (0.4.2), @mastra/temporal (0.1.14), @mastra/arize (1.2.3), @mastra/stagehand (0.2.5), @mastra/tavily (1.0.3), @mastra/agent-builder (1.0.42), @mastra/agent-browser (0.3.2), @mastra/mcp-registry-registry (1.0.2), and @mastra/longmemeval (1.0.50). Rotate all secrets — API keys, cloud credentials, npm tokens — from a separate, clean machine. Check npm token logs for any unauthorized publishes from the @mastra/ maintainer accounts.

This burst fits a growing pattern of coordinated supply-chain attacks targeting AI/ML developer tooling. The Mastra framework sits at the intersection of the AI agent ecosystem — it's used to build, orchestrate, and deploy LLM-powered agents — and its integration packages are precisely the kind of high-value targets that connect to multiple cloud APIs and secret stores. A single compromised publish across the entire @mastra/ scope represents an attempt to harvest credentials from every integration surface simultaneously. The tight seven-minute advisory window (05:05–05:12 UTC) suggests that the security response was swift once the malicious versions were detected, but the window between the malicious publish and the takedown remains the critical unknown.