Researchers discovered 36 malicious npm packages masquerading as Strapi v3 plugins that use postinstall scripts to exploit Redis and PostgreSQL, deploy reverse shells, harvest credentials, and install persistent implants. The packages, published by four sock-puppet accounts and named to mimic legitimate Strapi plugins, likely target cryptocurrency-related assets and include attempts to exfiltrate Guardarian data; affected users should assume compromise and rotate credentials. #Strapi #Guardarian
Keypoints
- Thirty-six npm packages impersonated Strapi plugins and embedded malicious postinstall scripts that run automatically on npm install.
- Payloads evolved from Redis RCE and Docker escape to reconnaissance, credential harvesting, PostgreSQL exploitation, and persistent implants.
- Attackers used hard-coded credentials and targeted Strapi-specific tables and cryptocurrency-related data, including attempts to access Guardarian databases.
- All packages followed a βstrapi-plugin-β naming pattern, lacked legitimate metadata, and were uploaded by four sock-puppet accounts within 13 hours.
- This campaign is part of a broader rise in supply chain attacks against package repositories and developer tooling; anyone who installed these packages should assume compromise and rotate credentials.
Read More: https://thehackernews.com/2026/04/36-malicious-npm-packages-exploited.html