
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@mastra/agentcore
Advanced tools
Affected versions:
AWS Bedrock AgentCore Runtime sandbox provider for Mastra workspaces.
npm install @mastra/agentcore
import { Workspace } from '@mastra/core/workspace';
import { AgentCoreRuntimeSandbox } from '@mastra/agentcore';
const workspace = new Workspace({
sandbox: new AgentCoreRuntimeSandbox({
region: 'us-west-2',
agentRuntimeArn: process.env.AGENTCORE_RUNTIME_ARN!,
runtimeSessionId: '12345678-1234-1234-1234-123456789012',
}),
});
const result = await workspace.sandbox?.executeCommand?.('npm', ['test'], {
cwd: '/workspace',
timeout: 300_000,
});
AgentCoreRuntimeSandbox uses InvokeAgentRuntimeCommand to run one-shot shell commands inside an existing AgentCore Runtime session. It does not provide background process management or filesystem mounts.
By default, destroy() does not stop the AgentCore Runtime session because sessions can be shared with other AgentCore invocations. Call stopRuntimeSession() explicitly, or set stopSessionOnLifecycle: true, when the sandbox owns the session and should clean it up.
AgentCore Code Interpreter is a separate AgentCore service and is not part of this runtime sandbox provider.
FAQs
AWS Bedrock AgentCore Runtime sandbox provider for Mastra workspaces
The npm package @mastra/agentcore receives a total of 2,533 weekly downloads. As such, @mastra/agentcore popularity was classified as popular.
We found that @mastra/agentcore demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.