Browsing Tag
npm
3 posts
npm package ecosystem news and security
Mastra npm Compromise Turns AI Agent Frameworks Into a Supply-Chain Target
Attackers republished more than 140 Mastra npm packages with a poisoned easy-day-js dependency, exposing AI agent developers to an install-time remote payload. Teams that installed affected @mastra packages on June 17 should treat developer machines and CI runners as compromised.
npm 12 Will Make Install Scripts Opt-In by Default
npm 12 is expected in July 2026 with stricter install defaults: dependency lifecycle scripts, Git dependencies, and remote tarballs will no longer run or resolve automatically without approval.
AI Coding Tools Are Making Package Security Harder
Microsoft’s npm findings show why AI coding agents need stricter dependency gates: install scripts, registry routing, lockfiles, CI secrets, and package provenance now sit inside the agent workflow.