**Hacked Open-Source Framework Exposes 144 AI Projects to Malicious Code**
Up to 144 AI projects built using the popular open-source framework Mastra have been compromised after a contributor’s account was hijacked. The affected packages, listed under the “@mastra/*” namespace on npm, a leading JavaScript and TypeScript package repository, have been tainted with malicious code.
Mastra is a widely-used framework for building AI applications, with thousands of developers relying on its tools and libraries. The affected packages, used in various projects, include AI models, natural language processing tools, and computer vision libraries. The security breach potentially allows attackers to inject malicious code into these projects, compromising the integrity of AI-powered systems.
The attack is believed to be a software supply chain attack, where a malicious actor gained access to the contributor’s account and pushed compromised code to the affected packages. It’s unclear how the attacker gained access to the account, but npm has since removed the compromised packages from its registry.
**What this means:**
Developers and organizations using Mastra for their AI projects should immediately review their dependencies and update to clean versions of the affected packages. It’s essential to be vigilant about software supply chain security, ensuring that third-party dependencies are regularly updated and audited for potential vulnerabilities.
**Impact on AI Developers**
The compromised packages may contain malicious code that can steal sensitive data, inject backdoors, or manipulate AI decision-making processes. This breach highlights the risks associated with relying on open-source software and the importance of maintaining a secure software supply chain.
**npm’s Response**
npm has taken steps to address the issue, removing the compromised packages from its registry and providing guidance to affected developers. The incident serves as a reminder of the need for robust security measures and regular audits to prevent such attacks in the future.
