What happened in the Mastra npm supply chain attack in June 2026?

On June 17, 2026, an attacker used a compromised former contributor account named ehindero to republish the entire Mastra npm scope, around 143 packages including the popular @mastra/core, each seeded with a malicious dependency called easy-day-js, a typosquat of the widely used dayjs library. The dependency ran a postinstall hook that disabled TLS certificate verification, downloaded a second-stage payload from attacker infrastructure, and launched a cryptocurrency stealer and a remote access trojan as hidden background processes. The affected packages pull more than 30 million downloads a month, so any fresh install during the exposure window could have pulled the backdoored versions. On June 19, Microsoft attributed the campaign with high confidence to Sapphire Sleet, a North Korean state actor also known as BlueNoroff, the same group tied to the April 2026 Axios npm attack. If you installed any Mastra package after June 16, rotate every credential, move crypto funds to new wallets, and rebuild from clean lockfiles.

Is the GitHub Copilot app generally available?

Yes. On June 17, 2026, GitHub made the Copilot app generally available for macOS, Windows, and Linux. It is a standalone desktop home for agent-driven development. You can start a session from an issue, a pull request, or a plain prompt, run parallel sessions across repositories with each on its own branch and git worktree, review the diff, validate in the built-in terminal and browser, and open a pull request that uses your team's existing checks and merge rules. Since the technical preview, GitHub added Canvases for shared visual work, cloud automations that schedule recurring agent work without your machine being awake, and bring-your-own-model support through MCP servers. It is included with Copilot subscriptions, though Business and Enterprise users may need an admin to enable Copilot CLI in policy settings.

What did OpenAI's Codex Record and Replay feature add?

On June 18, 2026, OpenAI shipped Record and Replay in the Codex macOS app, version 26.616. Instead of writing a prompt or configuring a workflow, you perform a repetitive task once while Codex watches your actions and on-screen context, then it turns that demonstration into a reusable skill saved as an editable SKILL.md file. The skill explains when to use the workflow, what inputs it needs, the steps to follow, and how to verify the result, and it can accept variable inputs like new dates or files on later runs. The feature requires Computer Use to be enabled and a paid ChatGPT plan, and at launch it is not available in the European Economic Area, the United Kingdom, or Switzerland.

How big was the DeepSeek funding round in June 2026?

On June 16, 2026, DeepSeek closed its first external funding round, raising more than $7.4 billion at a valuation above $50 billion, which makes it China's most valuable AI startup. The structure was unusual. Most outside investors, including Tencent and battery maker CATL, put money into a limited partnership controlled by founder Liang Wenfeng rather than into DeepSeek itself, took no voting rights, and accepted a five-year lock-up. Liang personally contributed roughly $3 billion, the single largest check. The only investor with direct equity and voting rights was China's state-backed National AI fund. The capital is aimed at compute and talent, with DeepSeek leaning on Huawei chips because US export controls limit access to Nvidia's most advanced hardware.

Dev Weekly Jun 15-21, 2026: SpaceX Buys Cursor for $60 Billion, North Korea Backdoors 140+ Mastra npm Packages, GitHub Copilot App Goes GA, AWS Summit Kiro Mobile, OpenAI Codex Record and Replay

Q: What is the biggest software developer news from June 15 to 21, 2026?

The biggest news is SpaceX agreeing to buy Anysphere, the company behind the AI coding assistant Cursor, for $60 billion in an all-stock deal announced on June 16, 2026. The purchase lands just days after SpaceX's record IPO and folds one of the most popular AI coding tools into Elon Musk's xAI. For developers the open question is model choice: Cursor became popular because it runs Anthropic's Claude, OpenAI's GPT, and its own Composer models side by side, and SpaceX has not committed to keeping that model-agnostic approach after the deal closes in the third quarter. The week was also marked by a North Korean supply chain attack that backdoored more than 140 Mastra npm packages, GitHub making the Copilot desktop app generally available, and AWS Summit New York putting agentic coding on the iPhone with Kiro for iOS.

Another loaded week for software developers, and this time the headline came from an unexpected direction. On June 16, just days after its record IPO, SpaceX agreed to buy Anysphere, the maker of the AI coding assistant Cursor, for $60 billion. The deal pulls one of the most popular agentic coding tools into Elon Musk’s xAI and raises a real question for everyone who picked Cursor because it stayed neutral on which model you run.

The rest of the week kept up the pace. North Korean hackers backdoored more than 140 Mastra npm packages in one of the year’s nastier supply chain attacks, GitHub made the Copilot desktop app generally available, AWS Summit New York put agentic coding on the iPhone, OpenAI taught Codex to learn from watching you, and Anthropic brought shareable Artifacts to Claude Code. DeepSeek raised $7.4 billion, Cisco and Fortinet zero-days came under active attack, and Node.js pushed out emergency security releases. Here is everything that mattered.

Top Stories This Week

SpaceX Buys Cursor Maker Anysphere for $60 Billion -

On June 16, SpaceX signed a definitive agreement to acquire Anysphere, the company behind Cursor, in an all-stock deal worth $60 billion. Under the merger, a SpaceX subsidiary called X67 Inc. folds into Anysphere, leaving Cursor as a wholly owned subsidiary once the deal closes in the third quarter, subject to regulatory approval. The move comes barely a week after SpaceX’s blockbuster Nasdaq debut and follows an option it secured back in April to either buy Cursor for $60 billion or pay $10 billion for a narrower compute partnership. Musk merged SpaceX with his AI startup xAI earlier this year, so this hands xAI a strong position in AI-assisted coding, an area where it had trailed Anthropic and OpenAI.

For developers, the interesting part is what happens to model choice. Cursor’s whole appeal has been that it stays neutral, letting you run Anthropic’s Claude, OpenAI’s GPT, and its own Composer models from the same editor. As TechTimes pointed out, SpaceX now has a financial reason to make its own Grok the default, since every call routed to a rival is revenue leaving the house. The company has not committed to keeping Cursor model-agnostic after close. Worth watching too is the market backdrop: Cursor’s share of AI coding spend slipped from 41 percent in June 2025 to about 26 percent in May, with Anthropic taking half the category, so this is a defensive land grab as much as an expansion.

North Korea Backdoors 140+ Mastra npm Packages -

The supply chain attack of the week hit the Mastra AI ecosystem. In the early hours of June 17, an attacker used a compromised former contributor account named ehindero to republish the entire @mastra npm scope, around 143 packages, each seeded with a malicious dependency called easy-day-js, a typosquat of the popular dayjs library. The day before, the attacker had published a clean version to build trust, then weaponized it minutes before the mass publish. Because the affected packages pinned a caret range, npm’s version resolution pulled the poisoned build automatically. The malicious postinstall hook disabled TLS certificate verification, fetched a second-stage payload from raw IP infrastructure, and ran a cross-platform cryptocurrency stealer and a remote access trojan as detached background processes. The blast radius is large: @mastra/core alone pulls close to a million downloads a week, and the scope sees more than 30 million downloads a month.

On June 19, Microsoft attributed the campaign with high confidence to Sapphire Sleet, a North Korean state actor also tracked as BlueNoroff, the same group behind the April 2026 Axios npm compromise. Microsoft’s deep dive on the dropper describes follow-on activity that planted a PowerShell backdoor, added Microsoft Defender exclusions, and installed a malicious Windows service running with SYSTEM privileges. The lesson is the same one this newsletter keeps repeating: a single stale maintainer account is enough to poison a whole namespace. If you installed any Mastra package after June 16, treat the machine as compromised, rotate every token and key, move crypto funds, and rebuild from clean lockfiles.

GitHub Copilot App Goes Generally Available -

On June 17, GitHub made the Copilot app generally available for macOS, Windows, and Linux. It is a standalone desktop home for agent-driven development, built to pull coding agents out of the IDE sidebar and into a first-class workspace. You start a session from an issue, a pull request, or a plain prompt, run parallel sessions across repositories with each on its own branch and git worktree, review the diff, validate in the built-in terminal and browser, then open a pull request that respects your team’s existing checks and merge rules. As GitHub explained, the point is to keep engineers in control instead of letting agents run as opaque background jobs.

Since the technical preview, GitHub added Canvases, shared surfaces where you and the agent work on the same plan, pull request, or terminal so progress stays visible and steerable. It also added cloud automations that schedule recurring agent work without your laptop being awake, plus bring-your-own-model support so you can pick the model behind each session and wire in external tools through MCP servers. The app is included with Copilot subscriptions, though Business and Enterprise users may need an admin to enable Copilot CLI in policy first. Heads up on cost: agent usage draws from the same credit pools as the new token billing, so check your org settings before launching large parallel runs.

AWS Summit New York Puts Kiro on Your Phone and Launches AWS Context -

AWS Summit New York landed on June 17 with a keynote built around making AI agents useful at work. The roundup of announcements led with AWS Context, a knowledge graph that gives agents the enterprise context they need to take the right next step, and AWS Continuum, an AI-native security service that continuously finds, prioritizes, and remediates code vulnerabilities. The new AWS DevOps Agent release management capability now reviews code changes for cross-repository risk and runs change-specific tests in production-like environments before you ship, which matters more every month as the volume of AI-generated code climbs.

The crowd-pleaser was Kiro going mobile with a native iOS app. Now you can kick off an agentic coding session, monitor progress, steer the agent, review diffs, and approve changes from your phone, with the work running in an always-on cloud session that keeps going after the screen goes dark. As The New Stack put it, the agent does not stop just because you walked away from your desk, so you can start a feature on the train and pick up exactly where it left off at your laptop. The app supports the same chat, spec, and autonomous modes as Kiro Web, and it is in gated preview for paid Kiro tiers on iOS 26 and later.

OpenAI Adds Record and Replay to Codex -

On June 18, OpenAI shipped Record and Replay in the Codex macOS app. Instead of describing a workflow in a prompt, you perform a repetitive task once while Codex watches your actions and on-screen context, then it turns that demonstration into a reusable skill. As TechTimes reported, the skill lands as an editable SKILL.md file that spells out when to use the workflow, what inputs it needs, the steps to follow, and how to check the result, and it can take variable inputs like new dates or files on later runs. Think filing an expense, opening a correctly tagged issue, or pulling a recurring report. It needs Computer Use enabled and a paid ChatGPT plan, and at launch it is blocked in the European Economic Area, the United Kingdom, and Switzerland, a pattern that lines up with the EU AI Act transparency rules due in August.

Anthropic Brings Shareable Artifacts to Claude Code -

Also on June 18, Anthropic added Artifacts to Claude Code for Team and Enterprise plans. The feature turns the work from a Claude Code terminal session into a live, interactive, shareable HTML page, so you can plug in code and data sources and hand a teammate a working dashboard, a system diagram, or a quick app preview through a single secure link. Anthropic is clear about the limits: an artifact is a capture of work, not a backend application, which is a deliberate contrast with the hosted Sites feature OpenAI added to Codex two weeks earlier. The bigger idea here is that the most valuable output of an AI coding assistant is often not the raw code, it is the context and the reasoning made easy to share.

Developer Tools & Platforms

Vercel Open-Sources the eve Agent Framework -

On June 17, Vercel open-sourced eve, a TypeScript framework for building production agents that it already uses internally for v0 and its own agent fleet. The pitch echoes what Next.js did for the web: stop hand-rolling the same plumbing for every agent and start from a framework where durable execution, sandboxes, approvals, and evals are defaults rather than weekend projects. As the official docs describe, eve is filesystem-first, so you define an agent’s tools, skills, and subagents as files under an agent/ directory, and it compiles them into an app that runs on Vercel Functions with state persisted through Vercel Workflows. Model routing goes through the AI Gateway with provider fallbacks, which is handy when a frontier model can vanish overnight, as we saw the week before.

Node.js Ships Emergency Security Releases -

On June 18, Node.js released security updates across the 26.x, 24.x, and 22.x lines, with the highest severity rated HIGH on every line. The new builds are 26.3.1 (Current), 24.17.0 (LTS), and 22.23.0 (LTS). If you run Node anywhere that touches untrusted input, this is a same-day upgrade, not a someday upgrade. Pin the patched versions in your base images and CI runners so a rebuild does not quietly pull an older line.

Google Cloud Launches Cloud Network Insights -

On June 18, Google Cloud made Cloud Network Insights generally available, an out-of-the-box service for cross-cloud observability built with Broadcom AppNeta. It answers the question every on-call engineer dreads when an app slows down: is it the network, the application, or something in between? It uses active synthetic probing to watch paths across Google Cloud, AWS, Azure, and on-prem around the clock, even when no live traffic is flowing, and it plugs into Google Cloud Observability and Gemini Cloud Assist so you can interrogate telemetry in plain language. For teams running a multi-cloud setup, this turns hours of finger-pointing into a quick root-cause answer.

Security

Cisco Catalyst SD-WAN Zero-Day Under Active Attack -

On June 15, Cisco warned customers about CVE-2026-20262, an arbitrary file write flaw in Catalyst SD-WAN Manager that is being actively exploited. The web interface fails to validate uploaded files, so an authenticated remote attacker with write access can create or overwrite any file on the system and use it to escalate to root. Cisco found it internally and saw exploitation in the wild, which it described as limited and targeted, a sign of a skilled, possibly state-backed group. CISA added it to the Known Exploited Vulnerabilities catalog on June 16 and gave federal agencies until June 29 to patch. The fixes are in SD-WAN Manager 20.12.4 and 21.1.1, and this is the eighth SD-WAN Manager zero-day exploited this year, so if you run it, patch now and lock management access to trusted networks.

Fortinet FortiSandbox Flaws Chained for Root -

The same week, attackers turned attention to Fortinet’s threat-detection box. As Qualys detailed, three FortiSandbox flaws, CVE-2026-39808, CVE-2026-25089, and CVE-2026-39813, each rated critical, cover OS command injection, authentication bypass, and path traversal. Threat intel firm Defused confirmed active exploitation on June 16, with the flaws chained to reach unauthenticated root code execution, a far worse outcome than any single CVSS score suggests, and saw intrusion artifacts in several financial and critical infrastructure deployments. The advice is blunt: update FortiSandbox to a patched release and review platform logs for unusual file access. The irony of an attacker rooting the appliance that is supposed to catch attacks is not lost on anyone.

Funding & Industry Deals

DeepSeek Raises $7.4 Billion at a $50 Billion Valuation -

On June 16, DeepSeek closed its first external funding round, raising more than $7.4 billion at a valuation above $50 billion, making it China’s most valuable AI startup. The structure is unlike anything in Silicon Valley. As TechTimes reported, most outside investors, including Tencent and battery maker CATL, put money into a limited partnership controlled by founder Liang Wenfeng, took no voting rights, and accepted a five-year lock-up. Liang himself wrote the single largest check at around $3 billion, and the only investor with direct equity and votes was China’s state-backed AI fund. The cash funds compute and talent, and because US export controls limit access to Nvidia’s top chips, DeepSeek’s strategy runs through Huawei hardware.

Odyssey Raises $310 Million for World Models -

On June 17, world model startup Odyssey raised a $310 million Series B at a $1.45 billion valuation, led by Natural Capital with Amazon, AMD Ventures, and GV joining. Founded by self-driving veterans, Odyssey is building models that simulate interactive worlds, and the round drew an unusually deep angel list including Jeff Dean, Garry Tan, and Vercel’s Guillermo Rauch. It is one more sign that world models are becoming their own funding category alongside the language and coding labs.

Anthropic Joins the Frontier Carbon Coalition and Opens a Seoul Office -

On June 17, Anthropic became the first pure AI company to join Frontier, the carbon removal coalition, contributing to a new $915 million tranche that nearly doubles the group’s total pledges to $1.8 billion. It is Anthropic’s first climate-related deal and lands as AI companies face hard questions about their energy buying. The next day, Anthropic opened a Seoul office to deepen ties with Korea’s enterprise and startup scene, where Claude already has traction. On the same visit, the company said its revenue has grown from $9 billion at the end of 2025 to about $47 billion as of a few weeks ago, the run-rate figure underpinning its IPO plans.

Layoffs: Rackspace, Plus a Bay Area WARN Wave

Rackspace: On June 16, Rackspace disclosed in an SEC filing that it will cut about 15 percent of its global workforce, roughly 750 jobs, as it shifts away from legacy public cloud delivery toward enterprise AI infrastructure. The cuts cost $14 million to $19 million up front and are meant to save $75 million to $85 million a year.
Bay Area WARN filings: On June 15, five Bay Area tech firms filed WARN notices for a combined 370 jobs, including Ubisoft, Salesforce, Quizlet, Verily, and ServiceNow, pushing the region’s 2026 total past all of the first half of 2025.
Oracle: June 15 was the final separation date for the bulk of Oracle’s roughly 30,000 job cuts, the largest in the company’s history, framed as a reallocation toward AI and data center teams rather than a sign of distress.

The Numbers That Matter

$60 Billion All-stock value of SpaceX’s agreement to acquire Cursor maker Anysphere
143 Mastra npm packages backdoored in the June 17 supply chain attack
30 Million+ Monthly downloads across the compromised Mastra npm scope
$7.4 Billion Raised by DeepSeek in its first external round, at a $50 billion valuation
$310 Million Odyssey’s Series B for world models, at a $1.45 billion valuation
$915 Million New Frontier carbon removal tranche Anthropic helped fund
750 Jobs Rackspace is cutting, about 15 percent of its workforce
3 FortiSandbox CVEs chained for unauthenticated root code execution
June 29 CISA deadline for federal agencies to patch the Cisco SD-WAN zero-day

Quick Hits

Bay Area WARN Wave - June 15. Ubisoft, Salesforce, Quizlet, Verily, and ServiceNow file for 370 combined job cuts.
Oracle Final Separations - June 15. The bulk of Oracle’s roughly 30,000 cuts take effect.
Cisco SD-WAN Zero-Day - June 15. CVE-2026-20262 in Catalyst SD-WAN Manager is exploited in targeted attacks.
SpaceX Buys Cursor - June 16. A $60 billion all-stock deal brings Anysphere into xAI.
DeepSeek Raises $7.4 Billion - June 16. China’s most valuable AI startup takes outside money for the first time.
FortiSandbox Chain - June 16. Three Fortinet flaws chained for unauthenticated root execution.
Rackspace Layoffs - June 16. About 750 jobs cut, 15 percent of staff, in a pivot to enterprise AI.
GitHub Copilot App GA - June 17. Agent-native desktop app ships for macOS, Windows, and Linux.
AWS Summit New York - June 17. Kiro lands on iOS, plus AWS Context, AWS Continuum, and DevOps Agent release management.
Vercel eve - June 17. Open-source TypeScript framework for durable production agents.
Odyssey Series B - June 17. $310 million at a $1.45 billion valuation for world models.
Anthropic Joins Frontier - June 17. First pure AI company in the carbon removal coalition, funding a $915 million tranche.
OpenAI Codex Record and Replay - June 18. Show Codex a workflow once, get a reusable SKILL.md.
Claude Code Artifacts - June 18. Shareable, interactive dashboards from a terminal session.
Node.js Security Releases - June 18. HIGH-severity fixes for the 26.x, 24.x, and 22.x lines.
Google Cloud Network Insights - June 18. Cross-cloud observability across Google Cloud, AWS, Azure, and on-prem.
Anthropic Seoul Office - June 18. New base in Korea, with revenue cited at about $47 billion run-rate.
Mastra npm Attribution - June 19. Microsoft ties the supply chain attack to North Korea’s Sapphire Sleet.

The theme this week was consolidation and its risks. SpaceX swallowed Cursor, betting that owning the editor matters more than staying neutral on the model, and DeepSeek built a corporate fortress to keep its frontier work inside one founder’s grip and one state’s reach. GitHub, AWS, OpenAI, and Anthropic all pushed agents further into the daily loop, from a desktop home for Copilot to Kiro on your phone to Codex learning by watching. Then the other side showed up right on cue: North Korea poisoned an entire npm namespace, Cisco and Fortinet zero-days went live, and Node.js had to ship emergency fixes. The tools keep getting more capable, and the supply chain keeps reminding us that capability and trust are not the same thing. Next week the wait for Gemini 3.5 Pro continues, with most signs pointing to a launch any day now. See you then.