36 malicious npm packages used in Redis, PostgreSQL to install permanent implants

Ravie Lakshmanan05 April 2026Malware / DevSecOps

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plugins but come in various payloads to enable Redis and PostgreSQL applications, run reverse shells, harvest data, and drop a persistent vulnerability.

“Each package consists of three files (package.json, index.js, postinstall.js), has no description, repository, or home page, and uses version 3.6.8 to appear as a mature Strapi v3 public plugin,” SafeDep said.

All selected npm packages follow the same naming convention, starting with “strapi-plugin-” and then a term like “cron,” “database,” or “server” to trick unsuspecting developers into downloading it. It’s important to note that official Strapi plugins are installed under “@strapi/.”

The packages, uploaded by four animation accounts “umarbek1233,” “kekylf12,” “tikeqemif26,” and “umar_bektembiev1” over a period of 13 hours, are listed below –

• strapi-plugin-cron
• strapi-plugin-config
• strapi-plugin-server
• strapi-plugin-database
• strapi-plugin-core
• strapi-plugin-hook
• strapi-plugin-monitor
• strapi-plugin-events
• strapi-plugin-logger
• strapi-plugin-healthy
• strapi-plugin-sync
• strapi-plugin-seed
• strapi-plugin-locale
• strapi-plugin-form
• strapi-plugin-notify
• strapi-plugin-api
• strapi-plugin-sitemap-gen
• strapi-plugin-nordica tools
• strapi-plugin-nordica-sync
• strapi-plugin-nordica-cms
• strapi-plugin-nordica-api
• strapi-plugin-nordica-recon
• strapi-plugin-nordica-stage
• strapi-plugin-nordica-vhost
• strapi-plugin-nordica-deep
• strapi-plugin-nordica-lite
• strapi-plugin-nordica
• strapi-plugin-finseven
• strapi-plugin-hextest
• strapi-plugin-cms tools
• strapi-plugin-content-sync
• strapi-plugin-debug-tools
• strapi-plugin-health-check
• strapi-plugin-guardian-ext
• strapi-plugin-advanced-uuid
• strapi-plugin-blurhash

Package inspection reveals that the malicious code is embedded in the postinstall hook, which is executed in “npm install” without requiring any user interaction. It runs with the same privileges as the install user, meaning it exploits root access within the CI/CD environment and Docker containers.

The load change distributed as part of the campaign is as follows –

• Use a local Redis instance for remote code execution by installing a crontab (aka cron table) to download and execute a shell script from the remote server every minute. The shell script writes a PHP web shell and Node.js shell that redirects via SSH to Strapi’s public directory. It also tries to scan the disk for secrets (for example, Elasticsearch and cryptocurrency wallet seed phrases) and generates a Guardarian API module.
• Combine Redis exploits with Docker container escape to write shell payloads to the host outside the container. It also spawns a Python backend shell on port 4444 and writes the backend shell to the node_modules directory of the application via Redis.
• Install a reverse shell and write a shell tool with Redis and execute the generated file.
• Clear the system for environment variables and PostgreSQL database connection strings.
• Extended harvester and environmental garbage collection reward, Strapi configuration, Redis database extraction using the INFO, DBSIZE, and KEYS commands, network topology mapping, and Docker/Kubernetes secrets, cryptographic keys, and cryptocurrency wallet files.
• Create a PostgreSQL database application by connecting to the target PostgreSQL database using strong credentials and querying special Strapi tables for passwords. It also discards methods related to cryptocurrency (for example, wallet, transaction, deposit, withdraw, hot, cold, and balance) and attempts to connect to six Guardarian databases. This indicates that the threat actor already has the data, obtained through prior compromise or other means.
• Install a fixed mechanism designed to secure remote access to a specific hostname (“prod-strapi”).
• Facilitate identity theft by scanning complex paths and generating an immutable shell.

“Eight payloads show a clear record: the attacker started aggressively (Redis RCE, Docker escape), found those methods ineffective, aimed to gather and collect information, used credentials for direct access to the database, and finally settled on persistent access with targeted credential theft,” SafeDep said.

The nature of the payments, combined with the focus on digital assets and the use of hard-coded database information and the visitor’s name, raises the possibility that this campaign was a targeted attack against the cryptocurrency platform. Users who have installed any of the packages mentioned above are advised to consider compromising and bypassing all details.

This discovery coincides with the discovery of several distribution attacks targeting the open source environment –

• A GitHub account named “ezmtebo” has submitted more than 256 requests to various open source repositories with a paid script load. “It steals secrets with CI images and PR views, implements a temporary process to discard secret values, uses labels to pass pull_request_target gates, and runs a background scan /proc for 10 minutes after the main script is issued,” SafeDep said.
• The hijacking of “dev-protocol,” a verified GitHub organization, distributes commercial Polymarket bots with typosquatted npm dependencies (“ts-big” and “levex-refa” or “big-nunber” and “lint-builder”) that steal private wallet keys, extract SSH files from behind, and open the victim’s files. While “levex-refa” works as a phishing scam, “lint-builder” installs an SSH backdoor. Both “ts-big” and “big-nunber” are designed to provide levex-refa and “lint-builder,” respectively, as temporary dependencies.
• Compromising a popular Emacs package, “kubernetes-el/kubernetes-el,” exploited the Pwn Request vulnerability in the GitHub Actions workflow by using the pull_request_target trigger to steal the repository’s GITHUB_TOKEN, generate CI/CD secrets, corrupt and delete all repository files.
• Compromising “xygeni/xygeni-action” proper execution of GitHub Actions by using stolen maintainer credentials to plant a backend shell. Xygeni has implemented new security measures to deal with this incident.
• Compromising the right npm package, “mgc,” by taking the account to push four malicious versions (1.2.1 to 1.2.4) with a dropper script that detects the operating system and takes a platform-specific payload – a Python trojan for Linux and a PowerShell variant for Windows called GiVHubSHAPER. The attack is directly related to a recent feed attack targeting Axios, carried out by a North Korean threat group going by the name UNC1069.
• A malicious npm package called “express-session-js” typosquats “express-session” and contains a dropper that receives a remote access trojan (RAT) from JSON Keeper to perform data theft and persistent access by connecting to “216.126.237”.[.]71″ use the Socket.IO library.
• Compromising the correct PyPI package, “bittensor-wallet” (version 4.0.2), installs the backend generated during the wallet decryption process to extract the wallet keys using HTTPS, DNS tunneling, and Raw TLS as exfiltration channels to the algorithms’ DGA which is made hard every day.
• A malicious PyPI package called “pyronut” typosquats “pyrogram,” a well-known Python Telegram API framework, to install a backdoor that is triggered every time a Telegram client starts and seizes control of the Telegram session and the host’s underlying system. “The backend encrypts Telegram messages that allow two accounts controlled by attackers to execute Python code (via the /e command and the meval library) and shell commands (via the /shell command and subprocess) on the victim’s machine,” Endor Labs said.
• A set of three malicious extensions for Microsoft Visual Studio Code (VS Code) published by “IoliteLabs” – “solidity-macos,” “solidity-windows,” and “solidity-linux” – which were inactive since 2018 but were updated on March 25, 2026, starting a multi-stage process to launch mac applications. In total, 27,500 extensions were installed before they were removed.
• Multiple versions of the “KhangNghiem/fast-draft” VS Code extension in Open VSX (0.10.89, 0.10.105, 0.10.106, and 0.10.112) use the downloader hosted by GitHub to download the second-level data, and view the “clipta” Socket.IO RAT file from the GitHub repository. Interestingly, versions 0.10.88, 0.10.111, and 0.10.129-135 were found to be clean. “That’s not the kind of release you expect from one damaged building or a custodian who has turned to bad behavior,” Aikido said. “Looks like two competing release streams sharing the same publisher information.”

In a report published in January 2026, Group-IB revealed that software distribution attacks have become “the main force changing the global cyber threat landscape,” and added that threat actors are targeting trusted vendors, open source software, SaaS platforms, browser extensions, and managed service providers to gain access to hundreds of downstream organizations.

A supply chain threat can quickly escalate a single domestic operation into a highly influential, cross-border one, with attackers having sophisticated supply chain methods and turning it into a “self-hardening” environment, as it provides access, speed and stealth.

“Package libraries such as npm and PyPI have become prime targets, stolen maintainer credentials, and autonomous malware worms to destroy widely used libraries – turning development pipelines into massive distribution channels for malicious code,” Group-IB said.