mastraqqq @1.13.1

Summary

Package is published as mastraqqq but bundles a verbatim clone of the legitimate mastra CLI: the embedded package metadata declares name: "mastra", version: "1.13.0" with Mastra's homepage and repository, and the README is the upstream Mastra CLI README. The npm-published manifest under the mastraqqq name (a 3-character-suffix edit of mastra ) adds a single unrelated runtime dependency, caspian-day-js@^1.11.22 , which is never imported anywhere in the bundled dist/ output. Installing mastraqqq therefore silently pulls caspian-day-js — an attacker-chosen package whose contents are outside this tarball — into the consumer's install graph under cover of a Mastra impersonation. The combination of impersonation (identical bundled name/version/README/code) plus an unexplained, never-referenced extra dependency is the canonical namespace-abuse delivery shape: the lure is the typosquat, the payload arrives via the smuggled dep.

Source: amazon-inspector (6ab6891e53f407a1aebddb94c7d02dab202313f4576e37f378dfc2fc50705cd4)