Cybersecurity researchers identified 36 malicious npm packages disguised as Strapi CMS plugins that execute automated payloads to harvest credentials, deploy reverse shells, and facilitate unauthorized database exploitation.

Key Points

• The 36 malicious packages were uploaded by four sock puppet accounts over a 13-hour period to mimic legitimate Strapi v3 community plugins.
• Malicious code is embedded in the postinstall script, which executes automatically during installation with the privileges of the user or CI/CD environment.
• Payloads include Redis and PostgreSQL exploitation, Docker container escapes, and the exfiltration of environment variables, cryptographic keys, and cryptocurrency wallet files.
• Researchers suspect the campaign specifically targeted cryptocurrency platforms, as evidenced by the focus on digital assets and hard-coded database credentials.
• Affected users are advised to assume their systems are compromised and immediately rotate all credentials and secrets.

Why it Matters

This campaign highlights the growing risk of supply chain attacks where malicious actors infiltrate open-source repositories to turn development pipelines into distribution channels for malware. Because these packages execute automatically upon installation, they can grant attackers deep access to sensitive infrastructure, including cloud environments and production databases.