MAL-2026-6050

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/create-mastra/MAL-2026-6050.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6050
Aliases
  • GHSA-jgwq-x2m5-mxhm
Published
2026-06-17T04:55:41Z
Modified
2026-07-09T23:01:59.816052359Z
Summary
Malicious code in create-mastra (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4da726670223ca28536bc00f5e68f94f22591bdecdb38dd94e5e873fce0afcf2)

create-mastra is the Mastra framework's project scaffolder, distributed as a bundled CLI. The flagged signals are generic occurrences of the literal string 'POST' across the minified dist/index.js (lines 245-247, 679, 16066) without corroborating evidence of a hardcoded attacker C2 endpoint, install-time exfiltration, or credential harvest. No install/postinstall lifecycle hooks were identified that would auto-execute network behavior on npm install. Keyword co-occurrence in a minified rollup bundle is the weakest evidence shape and is consistent with normal HTTP client code in a CLI scaffolder. Routing for human review to confirm the destinations of those POST calls are documented Mastra endpoints rather than attacker infrastructure.

Source: ghsa-malware (12df16ee90f6c59f31e4b0b71f2dbf3a0b046e17ecae5e13399b69fec9f3c563)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.13.1"
            ],
            "id": "GHSA-jgwq-x2m5-mxhm",
            "modified_time": "2026-06-17T04:55:42Z",
            "sha256": "12df16ee90f6c59f31e4b0b71f2dbf3a0b046e17ecae5e13399b69fec9f3c563",
            "import_time": "2026-06-17T05:56:08.450063969Z",
            "source": "ghsa-malware"
        },
        {
            "versions": [
                "1.13.1"
            ],
            "id": "GHSA-jgwq-x2m5-mxhm",
            "modified_time": "2026-06-17T18:29:21Z",
            "sha256": "a63f91d1b45294b3012f4a9d5cb4d90c6d52e8ef9ae3d0fea42fefa2b5d178dd",
            "import_time": "2026-06-17T19:08:20.623139814Z",
            "source": "ghsa-malware"
        },
        {
            "sha256": "4da726670223ca28536bc00f5e68f94f22591bdecdb38dd94e5e873fce0afcf2",
            "id": "IN-MAL-2026-009533",
            "import_time": "2026-07-09T22:56:31.918836888Z",
            "modified_time": "2026-07-09T22:09:29Z",
            "versions": [
                "1.13.1"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / create-mastra

Package

Affected ranges

Affected versions

1.*
1.13.1

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "deb4e845ebfa222157e331f16d4e550ba77881133918dce5f99cc2903f864a8c2f6fa9",
            "sha256": "b0fc6d442cc02b12f114901d8ea6f6184372c5ac220105e2e51ae06180a2a63c",
            "path": "dist/index.js"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/create-mastra/MAL-2026-6050.json"