36 Malicious npm Packages Disguised as Strapi Plugins Deploy Persistent Backdoors via Redis and PostgreSQL

Summary

Security researchers have uncovered a coordinated supply chain attack involving 36 malicious npm packages disguised as legitimate Strapi CMS plugins. The packages — named with patterns like “strapi-plugin-cron” and “strapi-plugin-database” — exploit Redis and PostgreSQL to deploy persistent implants, establish reverse shells, and steal credentials.

The attack is sophisticated and multi-staged. Packages use postinstall script hooks that execute automatically on npm install without user interaction. Payloads include Redis RCE exploitation via crontab injection, PostgreSQL credential harvesting targeting cryptocurrency-related data, and an 11-phase attack chain that exfiltrates .env files, Docker/Kubernetes secrets, private keys, and network topology before opening a full C2 channel.

Four sock-puppet npm accounts (umarbek1233, kekylf12, tikeqemif26, umar_bektembiev1) published the packages. All use version 3.6.8 and lack descriptions or repository links — red flags that distinguish them from legitimate Strapi plugins scoped under @strapi/.

Source

Reported by The Hacker News. Technical analysis from SafeDep. Tracked as MAL-2026-2464.

Commentary

Coming on the heels of the Axios npm supply chain compromise just weeks ago, this is another reminder that the npm ecosystem remains the softest underbelly in modern software development. The targeting is specific — these aren’t spray-and-pray typosquats but packages tailored for Strapi deployments with known Redis/PostgreSQL backends.

The cryptocurrency-targeting payloads and hard-coded database names (like “Guardarian”) suggest this is financially motivated rather than nation-state activity. But the tradecraft is increasingly indistinguishable. If your CI/CD pipeline runs npm install as root in Docker containers, you’re exactly the target profile. Lock down postinstall scripts, scope your dependencies, and audit anything without a repository link.