critical

CVE

Not assigned

CWE

CWE-506, CWE-494, CWE-829, CWE-73, CWE-918, CWE-200

Affected Surface

Developer workstations and CI runners that installed compromised `@mastra/*`, `mastra`, or `create-mastra` packages during the 17 June 2026 exposure window, Node.js applications that pass attacker-influenced `raw` message data into `nodemailer` while relying on `disableFileAccess` or `disableUrlAccess` as a sandbox boundary

Welcome to Corgea’s weekly briefing. The briefing covers the most important security findings and research from the week.

This edition covers research published from Wednesday, 17 June through Tuesday, 23 June 2026, excluding items already covered in the 16 June briefing.

Top Article

Mastra npm scope takeover used easy-day-js to Trojanize 141-143 packages

The most important story in this window is the @mastra compromise, because it hit an AI-agent framework that commonly lives on the same developer workstations and CI runners already exposed to Hades’ MCP-focused PyPI wave, the Phantom Gyp Miasma follow-on packages, and the earlier dbmux Phantom Gyp incident. Aikido deserves first public-disclosure credit for flagging the 140+ package republish burst on 17 June, StepSecurity deserves credit for quickly reversing the easy-day-js postinstall chain, and Microsoft later added the strongest public provenance detail by tying the poisoned releases to the hijacked ehindero maintainer account and the staged 1.11.21 / 1.11.22 semver trap.

The key thing to remember is that the visible Mastra package was only the carrier. The real malicious execution edge sat one dependency lower in easy-day-js@1.11.22, which means the incident belongs in the same trust-boundary category as Atomic Arch, TanStack’s trusted-publisher breach, and the GlassWASM Open VSX extension attack: the highest-risk code is often the code developers never intended to review directly.

More news

Nodemailer raw option bypasses disableFileAccess and disableUrlAccess

The other important story this week is the new Nodemailer advisory, because it turns a documented sandbox boundary into a false sense of safety. The GitHub advisory credits Pig-Tail as the reporter, and the Nodemailer maintainers deserve credit for shipping the 9.0.1 fix quickly once the raw message path was shown to drop both disableFileAccess and disableUrlAccess before MimeNode resolved { path } and { href } content. That gives attackers a direct local-file disclosure and full-response SSRF primitive when an application lets untrusted input shape the outgoing RFC822 message.

What makes this more than “just another Node package bug” is that the vulnerable path sits inside infrastructure code many teams treat as already-hardened plumbing. The lesson lines up with CVE-2026-44488 in Axios’ fetch adapter, CVE-2026-42305 and CVE-2026-47712 in Dulwich, and CVE-2026-41242 in protobufjs: once a library promises a safety control, the obscure shortcut path that forgets to propagate that control becomes the real security boundary.

Other news: