CYBERSECURITY researchers have identified 36 malicious npm packages masquerading as Strapi CMS plugins, each carrying payloads to exploit Redis and PostgreSQL, deploy reverse shells, harvest credentials, and drop a persistent implant. SafeDep said the packages share a three‑file structure (package[.]json, index[.]js, postinstall[.]js), lack descriptions or homepage data, and use version 3.6.8 to appear as mature Strapi v3 plugins, with names starting “strapi-plugin-” followed by words like cron or database.
The packages were uploaded by four sock puppet accounts—umarbek1233, kekylf12, tikeqemif26, and umar_bektembiev1—over about 13 hours, and include names such as strapi-plugin-cron, strapi-plugin-config, strapi-plugin-server, and strapi-plugin-database among others.
An analysis showed the malicious code runs in the postinstall script during npm install, with the same privileges as the installing user, enabling container and CI/CD abuse, and a progression of payloads from Redis RCE and Docker escape to broader data harvesting and a targeted persistent access campaign.
The researchers noted the operation appears aimed at cryptocurrency platforms, and SafeDep urged users to assume compromise and rotate credentials if any of the affected packages were installed, while Group-IB’s findings highlighted npm and PyPI as prime supply‑chain attack targets. According to SafeDep, the eight payloads tell a narrative of escalating access tactics leading to persistent, hostname‑specific implants designed to maintain remote access.