HIGH: 36 Malicious npm Packages Masquerade as Strapi Plugins to Deploy Persistent Implants

If you are a developer who installs npm packages without checking whether they are legitimately scoped, today's news might ruin your morning coffee. Security researchers at SafeDep have uncovered 36 malicious packages in the npm registry that impersonate Strapi CMS plugins while carrying payloads designed to exploit Redis and PostgreSQL databases, deploy reverse shells, harvest credentials, and maintain persistent access to compromised systems.

The attack represents a masterclass in social engineering the software supply chain. Every single malicious package follows an identical structure containing three files: package.json, index.js, and postinstall.js. They all use version 3.6.8 to create the appearance of a mature Strapi v3 community plugin. Notably absent from each package are descriptions, repository links, or homepages. For developers who do not know that official Strapi plugins are scoped under "@strapi/", these fakes look convincing enough to cause real damage.

Four sock puppet accounts orchestrated the upload campaign across a rapid 13-hour window. The accounts named "umarbek1233," "kekylf12," "tikeqemif26," and "umar_bektembiev1" pushed packages with names like "strapi-plugin-cron," "strapi-plugin-database," "strapi-plugin-server," and a series of packages prefixed with "strapi-plugin-nordica" that suggest the attackers may have been targeting specific organizations or infrastructure.

What makes this attack particularly nasty is the execution method. The malicious code sits inside the postinstall script hook, meaning it runs automatically during "npm install" without requiring any additional user interaction. The payload executes with whatever privileges the installing user possesses. For developers running installations with root access in CI/CD environments or Docker containers, that means full system compromise with a single command.

The attacker's evolution throughout the campaign tells a fascinating story of adaptation and persistence. Early payloads weaponized locally accessible Redis instances to achieve remote code execution by injecting crontab entries that downloaded and executed shell scripts from attacker-controlled servers every minute. These scripts dropped PHP web shells and Node.js reverse shells through SSH into Strapi's public uploads directory while simultaneously scanning for secrets like Elasticsearch credentials and cryptocurrency wallet seed phrases.

When those aggressive Redis exploitation attempts apparently fell short of expectations, the attacker pivoted to combining Redis exploitation with Docker container escape techniques, writing shell payloads directly to the host system outside the container. This approach also launched Python reverse shells on port 4444 and embedded reverse shell triggers into the application's node_modules directory through Redis.

The reconnaissance phase came next. Updated payloads began scanning systems for environment variables, PostgreSQL database connection strings, Strapi configurations, network topology data, and Docker/Kubernetes secrets. The attackers ran Redis INFO, DBSIZE, and KEYS commands to extract database contents while hunting for cryptographic keys and cryptocurrency wallet files.

Perhaps most tellingly, later payloads connected directly to PostgreSQL databases using hard-coded credentials and queried Strapi-specific tables for secrets. The attackers dumped any data matching patterns like "wallet," "transaction," "deposit," "withdraw," "hot," "cold," and "balance." They also attempted connections to six Guardarian databases, suggesting the threat actor already possessed credentials obtained from a prior compromise or through some other means.

The final iteration deployed a persistent implant targeting a specific hostname called "prod-strapi" while facilitating ongoing credential theft through hard-coded path scanning and persistent reverse shells. As SafeDep noted, "the attacker started aggressively with Redis RCE and Docker escape, found those approaches were not working, pivoted to reconnaissance and data collection, used hardcoded credentials for direct database access, and finally settled on persistent access with targeted credential theft."

The focus on digital assets combined with hard-coded database credentials and specific hostname targeting points strongly toward this being a targeted attack against a cryptocurrency platform rather than opportunistic spraying. Anyone who has installed any of these packages should assume complete system compromise and immediately rotate all credentials.

This campaign joins a troubling wave of supply chain attacks hitting the open-source ecosystem. A GitHub account named "ezmtebo" has submitted over 256 pull requests across various repositories containing credential exfiltration payloads. A hijack of the verified "dev-protocol" GitHub organization distributed malicious Polymarket trading bots with typosquatted npm dependencies designed to steal wallet private keys and install SSH backdoors. The popular Emacs package "kubernetes-el/kubernetes-el" was compromised through a Pwn Request vulnerability in its GitHub Actions workflow. Multiple VS Code extensions from "IoliteLabs" targeting Solidity developers were updated after years of dormancy to deploy multi-stage backdoors.

Group-IB's February 2026 report declared software supply chain attacks "the dominant force reshaping the global cyber threat landscape." Threat actors are industrializing these compromises, turning them into what the firm describes as a "self-reinforcing" ecosystem that offers reach, speed, and stealth all at once.

The lesson here is one that security professionals have been shouting into the void for years: trust nothing implicitly. Verify package scopes. Check for missing metadata. Use lockfiles. Audit your dependencies. The attackers are betting you will not bother. Do not make their job easy.