-= Per source details. Do not edit below this line.=-
Package is published as mastraqqq but bundles a verbatim clone of the legitimate mastra CLI: the embedded package metadata declares name: "mastra", version: "1.13.0" with Mastra's homepage and repository, and the README is the upstream Mastra CLI README. The npm-published manifest under the mastraqqq name (a 3-character-suffix edit of mastra) adds a single unrelated runtime dependency, caspian-day-js@^1.11.22, which is never imported anywhere in the bundled dist/ output. Installing mastraqqq therefore silently pulls caspian-day-js — an attacker-chosen package whose contents are outside this tarball — into the consumer's install graph under cover of a Mastra impersonation. The combination of impersonation (identical bundled name/version/README/code) plus an unexplained, never-referenced extra dependency is the canonical namespace-abuse delivery shape: the lure is the typosquat, the payload arrives via the smuggled dep.
{
"malicious-packages-origins": [
{
"sha256": "6ab6891e53f407a1aebddb94c7d02dab202313f4576e37f378dfc2fc50705cd4",
"versions": [
"1.13.1"
],
"source": "amazon-inspector",
"id": "IN-MAL-2026-006808",
"modified_time": "2026-06-16T18:54:13Z",
"import_time": "2026-06-16T19:46:14.403509698Z"
}
]
}[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
{
"package_integrity": [
{
"filename": "mastraqqq-1.13.1.tgz",
"hashes": {
"sha512_sri": "sha512-C1KIIseTFf9/wyArSDCLuIBhZwesBs3+vdYtMKXpJvoLhgiy/uoaEYiZo5da3srZbI+CK4WWzJfMH/YJKUQ2fQ==",
"sha1": "c1a08038e3f2cee93e344fb58d7dbc522b808ab4"
}
}
],
"evidence_files": [
{
"path": "package.json",
"sha256": "12d2045d8f1e2f89fb8aa371c1280539c11a72d5c756550d54efb5ff70ce8009",
"tlsh": "0951ea24ceaacc631ac895adbc6e441a613548139ca5fc8c33e5171c8f5d79f30ba32d"
},
{
"path": "dist/chunk-4EG3WFWR.js",
"sha256": "8a7914799042a419c71a9882e7af019b5a60da3eee4649f4fc728b28f2572368",
"tlsh": "9613b719c6f7853243b7206e652b6802f27b81072b4deca07bdc83545f5961ec9ba3ed"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mastraqqq/MAL-2026-5913.json"