
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@mastra/arize
Advanced tools
Affected versions:
Arize observability provider for Mastra - includes AI tracing and future observability features
Export Mastra AI traces to any OpenTelemetry observability platform that supports OpenInference, like Arize AX, or Phoenix.
For more information on OpenInference, see the OpenInference Semantic Conventions specification.
npm install @mastra/arize
You can add ArizeExporter to your Mastra configuration to export traces to Arize AX or Phoenix, or any other OpenTelemetry compatible observability platform that supports OpenInference.
import { ArizeExporter } from '@mastra/arize';
import { Mastra } from '@mastra/core';
// required, ends in /v1/traces
const ENDPOINT = process.env.PHOENIX_ENDPOINT!;
// optional if using unauthenticated Phoenix instance
const API_KEY = process.env.PHOENIX_API_KEY;
// optional, determines the project name in Phoenix
const PROJECT_NAME = process.env.PHOENIX_PROJECT_NAME || 'mastra-service';
const mastra = new Mastra({
...,
observability: {
// Enables ArizeExporter for AI tracing
configs: {
arize: {
serviceName: PROJECT_NAME,
exporters: [
new ArizeExporter({
endpoint: ENDPOINT,
apiKey: API_KEY,
projectName: PROJECT_NAME,
}),
],
},
},
},
});
[!TIP] You can easily use this exporter with both self-hosted Phoenix, or, Phoenix Cloud.
To quickly verify functionality, you can try out a local in-memory Phoenix instance:
docker run --pull=always -d --name arize-phoenix -p 6006:6006 -e PHOENIX_SQL_DATABASE_URL="sqlite:///:memory:" arizephoenix/phoenix:latestConfigure your
ArizeExporterendpoint tohttp://localhost:6006/v1/tracesand run the default Mastra weather agent to see traces!
import { ArizeExporter } from '@mastra/arize';
import { Mastra } from '@mastra/core';
// required space destination for trace exports
const SPACE_ID = process.env.ARIZE_SPACE_ID!;
// Arize AX API key
const API_KEY = process.env.ARIZE_API_KEY!;
// optional, determines the project name in Arize AX
const PROJECT_NAME = process.env.ARIZE_PROJECT_NAME || 'mastra-service';
const mastra = new Mastra({
...,
observability: {
configs: {
arize: {
serviceName: PROJECT_NAME,
exporters: [
new ArizeExporter({
apiKey: process.env.ARIZE_API_KEY!,
spaceId: SPACE_ID,
projectName: PROJECT_NAME,
}),
],
},
},
},
});
[!TIP] Need an Arize AX API key? Get one here.
You can configure the ArizeExporter to tweak the underlying OpenTelemetry BatchSpanProcessor, or add additional resource attributes to each span.
import { ArizeExporter } from '@mastra/arize';
import { Mastra } from '@mastra/core';
const mastra = new Mastra({
...,
observability: {
configs: {
arize: {
serviceName: 'mastra-service',
exporters: [
new ArizeExporter({
// Required at runtime
endpoint: 'https://your-collector.example.com/v1/traces',
// Required if using authenticated endpoint
apiKey: "your-api-key",
// Optional headers to be added to each OTLP request, in addition to authentication headers
headers: {
'x-api-key': process.env.API_KEY,
},
// Optional log level for debugging the exporter
logLevel: 'debug',
// Optional batch size for the underlying BatchSpanProcessor, before spans are exported
batchSize: 512,
// Optional timeout for the underlying BatchSpanProcessor, before spans are exported
timeout: 30000,
// Optional resource attributes to be added to each span
resourceAttributes: {
'custom.attribute': 'value',
},
})
],
},
},
},
});
This exporter follows the OpenInference Semantic Conventions for generative AI applications.
Apache 2.0
FAQs
Arize observability provider for Mastra - includes tracing and future observability features
The npm package @mastra/arize receives a total of 9,524 weekly downloads. As such, @mastra/arize popularity was classified as popular.
We found that @mastra/arize demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 7 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.