Skip to content

GHSA Malware advisory is missing some packages of Mastra supply chain attack campaign #8054

Open
Open
GHSA Malware advisory is missing some packages of Mastra supply chain attack campaign#8054
@socketz

Description

@socketz
socketz
opened on Jun 17, 2026

Hi,

Please, review better the current malware campaign for Mastra packages are missing in the GHSA advisory.

Take a look to this URL from the provider:
https://github.com/mastra-ai/mastra/blob/main/.changeset/easy-day-js-security-remediation.md?plain=1

Missing packages example (and probably more):

Package Version
@mastra/acp 0.2.2
@mastra/agentcore 0.2.2
@mastra/agentfs 0.1.1
@mastra/arthur 0.3.3
@mastra/astra 1.0.2

More references:

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions