Mastra got hacked.
In this special edition of Security Corner, Shane Thomas and Abhi Aiyer break down exactly what happened when a supply chain attack hit Mastra's npm packages — an attack that appears to trace back to hackers in North Korea.
They're joined by Ismail Pelaseyed, co-founder and CTO of Superagent, for the outside view on how these campaigns actually work.
You'll hear how a single, ordinary-looking call turned into a full npm account takeover, the small oversight that turned a scare into a genuine crisis, and why a malicious package was still live on the registry weeks after it was reported.
Ismail makes the case that getting hacked is a side effect of success — and that the real problem runs deeper than any one team. You'll learn why he thinks npm and PyPI have dropped the ball on security, how AI now lets attackers one-shot a convincing phishing app, and what every maintainer should be doing to harden their pipeline before a trusted contributor becomes the way in.
It's the unfiltered version, told by the people who lived through it.
Connect with Ismail Pelaseyed:
https://x.com/pelaseyed
https://superagent.sh
Connect with the hosts:
https://x.com/smthomas3
https://x.com/abhiaiyer
📚 MASTRA RESOURCES
https://mastra.ai
https://x.com/mastra_ai
https://mastra.ai/community/discord
https://github.com/mastra-ai
https://mastra.ai/course
https://mastra.ai/books/principles-of-building-ai-agents
https://mastra.ai/books/patterns-of-building-ai-agents
Mastra is an open-source TypeScript framework designed for building and shipping AI-powered applications and agents with minimal friction. It supports the full lifecycle of agent development — from prototype to production.
CHAPTERS
0:00 Intro: a special Security Corner
0:55 The supply chain attack on Mastra
1:29 How they got in: a fake Teams call
2:27 The npm account takeover
3:54 EasyDjS and the scramble to fix it
5:49 Why success makes you a target
9:20 How AI supercharges phishing
9:59 Hardening against compromised contributors
11:10 Open source under strain: IBM's $5B bet
12:27 npm and PyPI keep dropping the ball
14:31 Inside the fake package, and how Socket caught it
16:20 The fear-selling problem in security
18:02 Superagent!
