MAL-2026-5913

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6ab6891e53f407a1aebddb94c7d02dab202313f4576e37f378dfc2fc50705cd4) Package is published as `mastraqqq` but bundles a verbatim clone of the legitimate `mastra` CLI: the embedded package metadata declares `name: "mastra", version: "1.13.0"` with Mastra's homepage and repository, and the README is the upstream Mastra CLI README. The npm-published manifest under the `mastraqqq` name (a 3-character-suffix edit of `mastra`) adds a single unrelated runtime dependency, `caspian-day-js@^1.11.22`, which is never imported anywhere in the bundled `dist/` output. Installing `mastraqqq` therefore silently pulls `caspian-day-js` — an attacker-chosen package whose contents are outside this tarball — into the consumer's install graph under cover of a Mastra impersonation. The combination of impersonation (identical bundled name/version/README/code) plus an unexplained, never-referenced extra dependency is the canonical namespace-abuse delivery shape: the lure is the typosquat, the payload arrives via the smuggled dep.