116 packages in the mastra npm org compromised by a single attacker.

"Over a 27-minute window, they republished the entire @mastra catalog. They left Mastra's own code alone."

AI?