Cybersecurity researchers discovered 36 malicious packages in the npm registry disguised as Strapi CMS plugins but with different payloads to facilitate exploitation of Redis and PostgreSQL, deploy reverse shells, harvest credentials, and drop persistent implants.
“Every package contains three files (package.json, index.js, postinstall.js), has no description, repository, or homepage, and uses version 3.6.8 to appear as a mature Strapi v3 community plugin,” SafeDep said.
All identified npm packages follow the same naming convention, starting with “strapi-plugin-” followed by phrases like “cron,” “database,” and “server” to trick unsuspecting developers into downloading them. Note that the official Strapi plugins are scoped under “@strapi/”.
Below are the packages uploaded over the course of 13 hours by four sock puppet accounts ‘umarbek1233’, ‘kekylf12’, ‘tikeqemif26’ and ‘umar_bektembiev1’.
strap i-plugin-chron strap i-plugin-configuration strap i-plugin-server strap i-plugin database strap i-plugin core strap i-plugin hook strap i-plugin-monitor strap i-plugin-event strap i-plugin-logger strap i-plugin health strap i-plugin sync strap i-plugin seed strap i-plugin locale strap i-plugin form Strapi-plugin notificationStrapi-plugin-API Strapi-plugin-sitemap-gen Strapi-plugin-nordica-tools Strapi-plugin-Nordica-sync Strapi-plugin-nordica-cms Strapi-plugin-Nordica-API Strapi-plugin-Nordica-Recon Strapi-plugin-Nordica-stage Strapi-plugin-Nordica-vhost Strapi-plugin-Nordica-deep Strapi-plugin-nordica-lite Strapi-plugin-Nordica Strapi-plugin-finseven Strapi-plugin-hextest Strapi-plugin-cms-tools Strapi-plugin-content-sync Strapi-plugin-debug-tools Strapi-plugin-health-check Strapi-plugin-guardarian-ext Strapi-plugin-advanced-uuid Strapi-plugin-blurhash
Analysis of the package revealed that the malicious code was embedded within a post-installation script hook and was executed by ‘npm install’ without requiring any user interaction. It runs with the same privileges as the installation user. This means abusing root access within CI/CD environments and Docker containers.
The evolution of the payloads distributed as part of the campaign is as follows:
Weaponize your locally accessible Redis instance for remote code execution by inserting a crontab (also known as cron table) entry to download and run a shell script from a remote server every minute. The shell script writes a PHP web shell and a Node.js reverse shell to Strapi’s public upload directory over SSH. It also scans disks for secrets (such as Elasticsearch and cryptocurrency wallet seed phrases) in an attempt to steal Guardian API modules. Combine the use of Redis and Docker container escape to write shell payloads to the host outside of the container. It also launches a Python reverse shell directly on port 4444 and writes a reverse shell trigger to the application’s node_modules directory via Redis. Deploy a reverse shell, create a shell downloader via Redis, and run the resulting file. Scans your system for environment variables and PostgreSQL database connection strings. Enhanced credential harvester and reconnaissance payload to collect environment dumps, Strapi configuration, Redis database extraction by running INFO, DBSIZE, and KEYS commands, network topology mapping, Docker/Kubernetes secrets, encryption keys, and cryptocurrency wallet files. Performs PostgreSQL database exploitation by connecting to the target PostgreSQL database using hard-coded credentials and querying Strapi-specific tables for secrets. It also dumps matching cryptocurrency-related patterns (wallets, transactions, deposits, withdrawals, hot, cold, balances, etc.) and attempts to connect to six Guardarian databases. This indicates that the threat actor already has data obtained through prior compromise or other means. Introduces a persistent implant designed to maintain remote access to a specific hostname (‘prod-strapi’). Facilitates credential theft by scanning hard-coded paths and generating persistent reverse shells.
“The eight payloads tell a clear story: the attackers started aggressively (Redis RCE, Docker escape), realized those approaches didn’t work, pivoted to reconnaissance and data collection, used hard-coded credentials for direct database access, and finally settled on persistent access through targeted credential theft,” SafeDep said.
The nature of the payload, combined with the focus on digital assets and the use of hard-coded database credentials and hostnames, raises the possibility that this campaign was a targeted attack against a cryptocurrency platform. Users who have installed any of the aforementioned packages are advised to assume a compromise and rotate all credentials.
This discovery coincides with the discovery of multiple supply chain attacks targeting the open source ecosystem.
A GitHub account named “ezmtebo” submitted over 256 pull requests containing credential exfiltration payloads to various open source repositories. “It steals secrets through CI logs and PR comments, injects a temporary workflow to dump secret values, autoapplies labels to bypass the pull_request_target gate, and runs a /proc scanner in the background for 10 minutes after the main script finishes,” SafeDep said. It hijacks the verified GitHub organization “dev-protocol” to distribute a malicious Polymarket trading bot with typosquatted npm dependencies (“ts-big” and “levex-refa” or “big-nunber” and “lint-builder”) to steal wallet private keys, extract sensitive files, and open an SSH backdoor on the victim’s machine. “levex-refa” acts as a credential stealer, while “lint-builder” installs an SSH backdoor. Both “ts-big” and “big-nunber” are designed to provide “levex-refa” and “lint-builder” respectively as transitive dependencies. Compromise of the popular Emacs package “kubernetes-el/kubernetes-el”. This package exploits the Pwn Request vulnerability in GitHub Actions workflows using the pull_request_target trigger to steal the repository’s GITHUB_TOKEN, extract CI/CD secrets, modify the repository, and inject destructive code to delete nearly all repository files. A legitimate “xygeni/xygeni-action” GitHub Actions workflow is compromised and a reverse shell backdoor is planted using stolen maintainer credentials. Xygeni has since implemented new security controls to address this incident. Compromise of legitimate npm package “mgc” through account hijacking. It pushes four malicious versions (1.2.1 to 1.2.4) containing dropper scripts that detect operating systems and retrieve platform-specific payloads (Python Trojan for Linux and PowerShell variant WAVESHAPER.V2 for Windows) from GitHub Gist. This attack directly overlaps with a recent supply chain attack targeting Axios that is believed to originate from the North Korean threat cluster tracked as UNC1069. The malicious npm package named ‘express-session-js’ contains a dropper that typesosquats ‘express-session’, retrieves the next stage remote access trojan (RAT) from JSON Keeper, and connects to ‘216.126.237’ to perform data theft and persistent access.[.]71” using the Socket.IO library. Compromise of the legitimate PyPI package “bittensor-wallet” (version 4.0.2) deploys a backdoor that is triggered during wallet decryption operations and uses HTTPS, DNS tunneling, and Raw TLS as extraction channels to extract wallet keys to hardcoded domains or domains created using a daily rotated domain generation algorithm (DGA). A malicious PyPI package named ‘pyronut’ typosquats ‘pyrogram’, a popular Python Telegram API framework, to embed a stealthy backdoor that is triggered every time the Telegram client starts, taking control of the Telegram session and the underlying host system. “This backdoor registers a hidden Telegram message handler that allows two hard-coded attacker-controlled accounts to execute arbitrary Python code. A set of three malicious Microsoft Visual Studio Code (VS Code) extensions (‘solidity-macos’, ‘solidity-windows’, and ‘solidity-linux’) published by ‘IoliteLabs’ were originally published in 2018. Dormant since 2017, but updated on March 25, 2026, multiple versions of the “KhangNghiem/fast-draft” VS Code extension on Open VSX that runs files hosted on GitHub with a multi-stage backdoor targeting Windows and macOS systems to establish persistence on application startup were installed a total of 27,500 times before being removed. Interestingly, versions 0.10.88, 0.10.111, and 0.10.129-135 were found to be clean versions for deploying the second stage Socket.IO RAT, information stealer, file extraction module, and 0.10.129-135. “This is not the release pattern you would expect from a single compromised build or a maintainer who has completely switched to malicious behavior.” Aikido said, “It looks like two competing release streams sharing the same publisher identity.”
Software supply chain attacks have become “the dominant force reshaping the global cyber threat landscape,” Group-IB said in a report published in February 2026, adding that threat actors are targeting trusted vendors, open source software, SaaS platforms, browser extensions, and managed service providers to gain inherited access to hundreds of downstream organizations.
Supply chain threats can rapidly escalate a single localized intrusion into one with large-scale impact across borders, with attackers industrializing supply chain compromises into “self-reinforcing” ecosystems with reach, speed, and stealth.
“Package repositories such as npm and PyPI have become prime targets for compromising widely used libraries, stealing maintainer credentials, and automated malware worms, turning development pipelines into large-scale distribution channels for malicious code,” Group-IB said.
Source link
