{"id":"MAL-2026-5913","summary":"Malicious code in mastraqqq (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6ab6891e53f407a1aebddb94c7d02dab202313f4576e37f378dfc2fc50705cd4)\nPackage is published as `mastraqqq` but bundles a verbatim clone of the legitimate `mastra` CLI: the embedded package metadata declares `name: \"mastra\", version: \"1.13.0\"` with Mastra's homepage and repository, and the README is the upstream Mastra CLI README. The npm-published manifest under the `mastraqqq` name (a 3-character-suffix edit of `mastra`) adds a single unrelated runtime dependency, `caspian-day-js@^1.11.22`, which is never imported anywhere in the bundled `dist/` output. Installing `mastraqqq` therefore silently pulls `caspian-day-js` — an attacker-chosen package whose contents are outside this tarball — into the consumer's install graph under cover of a Mastra impersonation. The combination of impersonation (identical bundled name/version/README/code) plus an unexplained, never-referenced extra dependency is the canonical namespace-abuse delivery shape: the lure is the typosquat, the payload arrives via the smuggled dep.\n","modified":"2026-06-16T20:01:51.098284561Z","published":"2026-06-16T18:54:13Z","database_specific":{"malicious-packages-origins":[{"versions":["1.13.1"],"id":"IN-MAL-2026-006808","import_time":"2026-06-16T19:46:14.403509698Z","modified_time":"2026-06-16T18:54:13Z","sha256":"6ab6891e53f407a1aebddb94c7d02dab202313f4576e37f378dfc2fc50705cd4","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/mastraqqq/v/1.13.1"}],"affected":[{"package":{"name":"mastraqqq","ecosystem":"npm","purl":"pkg:npm/mastraqqq"},"versions":["1.13.1"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"path":"package.json","sha256":"12d2045d8f1e2f89fb8aa371c1280539c11a72d5c756550d54efb5ff70ce8009","tlsh":"0951ea24ceaacc631ac895adbc6e441a613548139ca5fc8c33e5171c8f5d79f30ba32d"},{"sha256":"8a7914799042a419c71a9882e7af019b5a60da3eee4649f4fc728b28f2572368","tlsh":"9613b719c6f7853243b7206e652b6802f27b81072b4deca07bdc83545f5961ec9ba3ed","path":"dist/chunk-4EG3WFWR.js"}],"package_integrity":[{"filename":"mastraqqq-1.13.1.tgz","hashes":{"sha512_sri":"sha512-C1KIIseTFf9/wyArSDCLuIBhZwesBs3+vdYtMKXpJvoLhgiy/uoaEYiZo5da3srZbI+CK4WWzJfMH/YJKUQ2fQ==","sha1":"c1a08038e3f2cee93e344fb58d7dbc522b808ab4"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mastraqqq/MAL-2026-5913.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}