From package to postinstall payload: Inside the Mastra npm supply chain compromise