36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plugins but come with different payloads to facilitate Redis and PostgreSQL exploitation, deploy reverse shells, harvest credentials, and drop a persistent implant.

“Every package contains three files (package.json, index.js, postinstall.js), has no description, repository, or homepage, and uses version 3.6.8 to appear as a mature Strapi v3 community plugin,” SafeDep said.

All identified npm packages follow the same naming convention, starting with “strapi-plugin-” and then phrases like “cron,” “database,” or “server” to fool unsuspecting developers into downloading them. It’s worth noting that the official Strapi plugins are scoped under “@strapi/.”

The packages, uploaded by four sock puppet accounts “umarbek1233,” “kekylf12,” “tikeqemif26,” and “umar_bektembiev1” over a period of 13 hours, are listed below –

• strapi-plugin-cron
• strapi-plugin-config
• strapi-plugin-server
• strapi-plugin-database
• strapi-plugin-core
• strapi-plugin-hooks
• strapi-plugin-monitor
• strapi-plugin-events
• strapi-plugin-logger
• strapi-plugin-health
• strapi-plugin-sync
• strapi-plugin-seed
• strapi-plugin-locale
• strapi-plugin-form
• strapi-plugin-notify
• strapi-plugin-api
• strapi-plugin-sitemap-gen
• strapi-plugin-nordica-tools
• strapi-plugin-nordica-sync
• strapi-plugin-nordica-cms
• strapi-plugin-nordica-api
• strapi-plugin-nordica-recon
• strapi-plugin-nordica-stage
• strapi-plugin-nordica-vhost
• strapi-plugin-nordica-deep
• strapi-plugin-nordica-lite
• strapi-plugin-nordica
• strapi-plugin-finseven
• strapi-plugin-hextest
• strapi-plugin-cms-tools
• strapi-plugin-content-sync
• strapi-plugin-debug-tools
• strapi-plugin-health-check
• strapi-plugin-guardarian-ext
• strapi-plugin-advanced-uuid
• strapi-plugin-blurhash 

An analysis of the packages reveals that the malicious code is embedded within the postinstall script hook, which gets executed on “npm install” without requiring any user interaction. It runs with the same privileges as those of the installing user, meaning it abuses root access within CI/CD environments and Docker containers.

The evolution of the payloads distributed as part of the campaign is as follows –

• Weaponize a locally accessible Redis instance for remote code execution by injecting a crontab (aka cron table) entry to download and execute a shell script from a remote server every minute. The shell script writes a PHP web shell and Node.js reverse shell via SSH to Strapi’s public uploads directory. It also attempts to scan the disk for secrets (e.g., Elasticsearch and cryptocurrency wallet seed phrases) and exfiltrate a Guardarian API module.
• Combine Redis exploitation with Docker container escape to write shell payloads to the host outside the container. It also launches a direct Python reverse shell on port 4444 and writes a reverse shell trigger into the application’s node_modules directory via Redis.
• Deploy a reverse shell and write a shell downloader via Redis and execute the resulting file.
• Scan the system for environment variables and PostgreSQL database connection strings.
• An expanded credential harvester and reconnaissance payload to gather environment dumps, Strapi configurations, Redis database extraction by running the INFO, DBSIZE, and KEYS commands, network topology mapping, and Docker/Kubernetes secrets, cryptographic keys, and cryptocurrency wallet files.
• Conduct PostgreSQL database exploitation by connecting to the target’s PostgreSQL database using hard-coded credentials and querying Strapi-specific tables for secrets. It also dumps matching cryptocurrency-related patterns (e.g., wallet, transaction, deposit, withdraw, hot, cold, and balance) and attempts to connect to six Guardarian databases. This indicates that the threat actor is already in possession of the data, obtained either via a prior compromise or through some other means.
• Deploy a persistent implant designed to maintain remote access to a specific hostname (“prod-strapi”).
• Facilitate credential theft by scanning hard-coded paths and spawning a persistent reverse shell.

“The eight payloads show a clear narrative: the attacker started aggressively (Redis RCE, Docker escape), found those approaches weren’t working, pivoted to reconnaissance and data collection, used hardcoded credentials for direct database access, and finally settled on persistent access with targeted credential theft,” SafeDep said.

The nature of the payloads, combined with the focus on digital assets and the use of hard-coded database credentials and hostname, raises the possibility that the campaign was a targeted attack against a cryptocurrency platform. Users who have installed any of the aforementioned packages are advised to assume compromise and rotate all credentials.

The discovery coincides with the discovery of several supply chain attacks targeting the open-source ecosystem –

• A GitHub account named “ezmtebo” has submitted over 256 pull requests across various open-source repositories containing a credential exfiltration payload. “It steals secrets through CI logs and PR comments, injects temporary workflows to dump secret values, auto-applies labels to bypass pull_request_target gates, and runs a background /proc scanner for 10 minutes after the main script exits,” SafeDep said.
• A hijack of “dev-protocol,” a verified GitHub organization, to distribute malicious Polymarket trading bots with typosquatted npm dependencies (“ts-bign” and “levex-refa” or “big-nunber” and “lint-builder”) that steal wallet private keys, exfiltrate sensitive files, and open an SSH backdoor on the victim’s machine. While “levex-refa” functions as a credential stealer, “lint-builder” installs the SSH backdoor. Both “ts-bign” and “big-nunber” are designed to deliver “levex-refa” and “lint-builder,” respectively, as a transitive dependency.
• A compromise of the popular Emacs package, “kubernetes-el/kubernetes-el,” that exploited the Pwn Request vulnerability in its GitHub Actions workflow by using the pull_request_target trigger to steal the repository’s GITHUB_TOKEN, exfiltrate CI/CD secrets, deface the repository, and inject destructive code to delete nearly all repository files.
• A compromise of the legitimate “xygeni/xygeni-action” GitHub Actions workflow using stolen maintainer credentials to plant a reverse shell backdoor. Xygeni has since implemented new security controls to address the incident.
• A compromise of the legitimate npm package, “mgc,” by means of an account takeover to push four malicious versions (1.2.1 through 1.2.4) containing a dropper script that detects the operating system and fetches a platform-specific payload – a Python trojan for Linux and a PowerShell variant for Windows called WAVESHAPER.V2 – from a GitHub Gist. The attack shares direct overlap with the recent supply chain attack targeting Axios, which has been attributed to a North Korean threat cluster tracked as UNC1069.
• A malicious npm package named “express-session-js” that typosquats “express-session” and contains a dropper that retrieves a next-stage remote access trojan (RAT) from JSON Keeper to conduct data theft and persistent access by connecting to “216.126.237[.]71” using the Socket.IO library.
• A compromise of the legitimate PyPI package, “bittensor-wallet” (version 4.0.2), to deploy a backdoor that’s triggered during a wallet decryption operation to exfiltrate wallet keys using HTTPS, DNS tunneling, and Raw TLS as exfiltration channels to either a hard-coded domain or one created using a Domain Generation Algorithm (DGA) that’s rotated daily.
• A malicious PyPI package named “pyronut” that typosquats “pyrogram,” a popular Python Telegram API framework, to embed a stealthy backdoor that’s triggered every time a Telegram client starts and seize control of the Telegram session and the underlying host system. “The backdoor registers hidden Telegram message handlers that allow two hardcoded attacker-controlled accounts to execute arbitrary Python code (via the /e command and the meval library) and arbitrary shell commands (via the /shell command and subprocess) on the victim’s machine,” Endor Labs said.
• A set of three malicious Microsoft Visual Studio Code (VS Code) extensions published by “IoliteLabs” – “solidity-macos,” “solidity-windows,” and “solidity-linux” – that were originally dormant since 2018 but were updated on March 25, 2026, to launch a multi-stage backdoor targeting Windows and macOS systems upon launching the application to establish persistence. Collectively, the extensions had 27,500 installs prior to them being removed.
• Multiple versions of the “KhangNghiem/fast-draft” VS Code extension on Open VSX (0.10.89, 0.10.105, 0.10.106, and 0.10.112) that execute a GitHub-hosted downloader to deploy a second-stage Socket.IO RAT, an information stealer, a file exfiltration module, and a clipboard monitor from a GitHub repository. Interestingly, versions 0.10.88, 0.10.111, and 0.10.129-135 have been found to be clean. “That is not the release pattern you expect from a single compromised build or a maintainer who has fully switched to malicious behavior,” Aikido said. “It looks more like two competing release streams sharing the same publisher identity.”