{"id":495,"date":"2026-04-05T05:51:57","date_gmt":"2026-04-05T05:51:57","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=495"},"modified":"2026-04-05T05:51:57","modified_gmt":"2026-04-05T05:51:57","slug":"36-malicious-npm-packages-exploited-redis-postgresql-to-deploy-persistent-implants","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=495","title":{"rendered":"36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Apr 05, 2026<\/span><\/span><span class=\"p-tags\">Malware \/ DevSecOps<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg9axxKrcvcFkL99SIB2AlrcEW2RIZ1Ff8PollH7XYSWrYSOgoPXKlF5rsdgyr9BSWVUa5oP07faI_DvxNyUk_rpuz5i2xuiEdlU-e929rCWpkLjDGRs4EBjzfBWQRJVtrWNtR-EKvWsR-PPO-Yfei5ONMyumlI12R7OHmIrsyzJtB5SJRTCSuKiyJQnTfK\/s1700-e365\/database.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Cybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plugins but come with different payloads to facilitate Redis and PostgreSQL exploitation, deploy reverse shells, harvest credentials, and drop a persistent\u00a0implant.<\/p>\n<p>\u00abEvery package contains three files (package.json, index.js, postinstall.js), has no description, repository, or homepage, and uses version 3.6.8\u00a0to appear as a mature Strapi v3 community plugin,\u00bb\u00a0SafeDep <a href=\"https:\/\/safedep.io\/malicious-npm-strapi-plugin-events-c2-agent\/\">said<\/a>.<\/p>\n<p>All\u00a0identified npm packages follow the same naming convention, starting with \u00abstrapi-plugin-\u00bb and then phrases like \u00abcron,\u00bb \u00abdatabase,\u00bb or \u00abserver\u00bb to fool unsuspecting developers into downloading them. It&#8217;s worth noting that the official Strapi plugins are scoped under \u00ab@strapi\/.\u00bb<\/p>\n<p>The\u00a0packages, uploaded by four sock puppet accounts \u00abumarbek1233,\u00bb \u00abkekylf12,\u00bb \u00abtikeqemif26,\u00bb and \u00abumar_bektembiev1\u00bb over a period of 13 hours, are listed below\u00a0&#8211;<\/p>\n<ul>\n<li>strapi-plugin-cron<\/li>\n<li>strapi-plugin-config<\/li>\n<li>strapi-plugin-server<\/li>\n<li>strapi-plugin-database<\/li>\n<li>strapi-plugin-core<\/li>\n<li>strapi-plugin-hooks<\/li>\n<li>strapi-plugin-monitor<\/li>\n<li>strapi-plugin-events<\/li>\n<li>strapi-plugin-logger<\/li>\n<li>strapi-plugin-health<\/li>\n<li>strapi-plugin-sync<\/li>\n<li>strapi-plugin-seed<\/li>\n<li>strapi-plugin-locale<\/li>\n<li>strapi-plugin-form<\/li>\n<li>strapi-plugin-notify<\/li>\n<li>strapi-plugin-api<\/li>\n<li>strapi-plugin-sitemap-gen<\/li>\n<li>strapi-plugin-nordica-tools<\/li>\n<li>strapi-plugin-nordica-sync<\/li>\n<li>strapi-plugin-nordica-cms<\/li>\n<li>strapi-plugin-nordica-api<\/li>\n<li>strapi-plugin-nordica-recon<\/li>\n<li>strapi-plugin-nordica-stage<\/li>\n<li>strapi-plugin-nordica-vhost<\/li>\n<li>strapi-plugin-nordica-deep<\/li>\n<li>strapi-plugin-nordica-lite<\/li>\n<li>strapi-plugin-nordica<\/li>\n<li>strapi-plugin-finseven<\/li>\n<li>strapi-plugin-hextest<\/li>\n<li>strapi-plugin-cms-tools<\/li>\n<li>strapi-plugin-content-sync<\/li>\n<li>strapi-plugin-debug-tools<\/li>\n<li>strapi-plugin-health-check<\/li>\n<li>strapi-plugin-guardarian-ext<\/li>\n<li>strapi-plugin-advanced-uuid<\/li>\n<li>strapi-plugin-blurhash\u00a0<\/li>\n<\/ul>\n<p><a name=\"more\"\/><\/p>\n<p>An\u00a0analysis of the packages reveals that the malicious code is embedded within the postinstall script hook, which gets executed on \u00abnpm install\u00bb without requiring any user interaction. It\u00a0runs with the same privileges as those of the installing user, meaning it abuses root access within CI\/CD environments and Docker containers.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/vpn-risk-report-inside-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgWajeG0cdaapf1GKTZRUZUB7BzuYGegyw5k0eAorJXlmkFdYCCeLXXhXYJuXU9lWD33rV6rRnIyly3czoNfYifpxk1eGA5slItPmim3HkubXoQMgC4J7hdQPywxGbWq7Eqeff_o6s2Fq-WmSFd5guwdLn7IqpveMqULqtVnd-ndnljWYGj45EkMFB7m0qm\/s728-e100\/z-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The\u00a0evolution of the payloads distributed as part of the campaign is as follows\u00a0&#8211;<\/p>\n<ul>\n<li>Weaponize a locally accessible Redis instance for remote code execution by injecting a crontab (aka cron table) entry to download and execute a shell script from a remote server every minute. The\u00a0shell script writes a PHP web shell and Node.js\u00a0reverse shell via SSH to Strapi&#8217;s public uploads directory. It\u00a0also attempts to scan the disk for secrets (e.g., Elasticsearch and cryptocurrency wallet seed phrases) and exfiltrate a Guardarian API module.<\/li>\n<li>Combine Redis exploitation with Docker container escape to write shell payloads to the host outside the container. It\u00a0also launches a direct Python reverse shell on port 4444 and writes a reverse shell trigger into the application\u2019s node_modules directory via Redis.<\/li>\n<li>Deploy a reverse shell and write a shell downloader via Redis and execute the resulting file.<\/li>\n<li>Scan the system for environment variables and PostgreSQL database connection strings.<\/li>\n<li>An expanded credential harvester and reconnaissance payload to gather environment dumps, Strapi configurations, Redis database extraction by running the INFO, DBSIZE, and KEYS commands, network topology mapping, and Docker\/Kubernetes secrets, cryptographic keys, and cryptocurrency wallet files.<\/li>\n<li>Conduct PostgreSQL database exploitation by connecting to the target&#8217;s PostgreSQL database using hard-coded credentials and querying Strapi-specific tables for secrets. It\u00a0also dumps matching cryptocurrency-related patterns (e.g., wallet, transaction, deposit, withdraw, hot, cold, and balance) and attempts to connect to six Guardarian databases. This\u00a0indicates that the threat actor is already in possession of the data, obtained either via a prior compromise or through some other means.<\/li>\n<li>Deploy a persistent implant designed to maintain remote access to a specific hostname (\u00abprod-strapi\u00bb).<\/li>\n<li>Facilitate credential theft by scanning hard-coded paths and spawning a persistent reverse shell.<\/li>\n<\/ul>\n<p>\u00abThe eight payloads show a clear narrative: the attacker started aggressively (Redis RCE, Docker escape), found those approaches weren&#8217;t working, pivoted to reconnaissance and data collection, used hardcoded credentials for direct database access, and finally settled on persistent access with targeted credential theft,\u00bb SafeDep\u00a0said.<\/p>\n<p>The\u00a0nature of the payloads, combined with the focus on digital assets and the use of hard-coded database credentials and hostname, raises the possibility that the campaign was a targeted attack against a cryptocurrency platform. Users\u00a0who have installed any of the aforementioned packages are advised to assume compromise and rotate all credentials.<\/p>\n<p>The\u00a0discovery coincides with the discovery of several supply chain attacks targeting the open-source ecosystem\u00a0&#8211;<\/p>\n<ul>\n<li>A GitHub account named \u00ab<a href=\"https:\/\/safedep.io\/prt-scan-github-actions-exfiltration-campaign\/\">ezmtebo<\/a>\u00bb has submitted over 256 pull requests across various open-source repositories containing a credential exfiltration payload. \u00abIt steals secrets through CI logs and PR comments, injects temporary workflows to dump secret values, auto-applies labels to bypass pull_request_target gates, and runs a background \/proc scanner for 10 minutes after the main script exits,\u00bb SafeDep said.<\/li>\n<li>A hijack of \u00ab<a href=\"https:\/\/www.stepsecurity.io\/blog\/malicious-polymarket-bot-hides-in-hijacked-dev-protocol-github-org-and-steals-wallet-keys\">dev-protocol<\/a>,\u00bb a verified GitHub organization, to distribute malicious Polymarket trading bots with typosquatted npm dependencies (\u00abts-bign\u00bb and \u00ablevex-refa\u00bb or \u00abbig-nunber\u00bb and \u00ablint-builder\u00bb) that steal wallet private keys, exfiltrate sensitive files, and open an SSH backdoor on the victim&#8217;s machine. While\u00a0\u00ablevex-refa\u00bb functions as a credential stealer, \u00ablint-builder\u00bb installs the SSH backdoor. Both\u00a0\u00abts-bign\u00bb and \u00abbig-nunber\u00bb are designed to deliver \u00ablevex-refa\u00bb and \u00ablint-builder,\u00bb respectively, as a transitive dependency.<\/li>\n<li>A compromise of the popular Emacs package, \u00ab<a href=\"https:\/\/www.stepsecurity.io\/blog\/kubernetes-el-compromised-how-a-pwn-request-exploited-a-popular-emacs-package\">kubernetes-el\/kubernetes-el<\/a>,\u00bb that exploited the Pwn Request vulnerability in its GitHub Actions workflow by using the pull_request_target trigger to steal the repository&#8217;s GITHUB_TOKEN, exfiltrate CI\/CD secrets, deface the repository, and inject destructive code to delete nearly all repository files.<\/li>\n<li>A compromise of the legitimate \u00ab<a href=\"https:\/\/www.stepsecurity.io\/blog\/xygeni-action-compromised-c2-reverse-shell-backdoor-injected-via-tag-poisoning\">xygeni\/xygeni-action<\/a>\u00bb GitHub Actions workflow using stolen maintainer credentials to plant a reverse shell backdoor. Xygeni\u00a0has since <a href=\"https:\/\/xygeni.io\/blog\/security-incident-report-xygeni-action-github-action-compromise\/\">implemented new security controls<\/a> to address the incident.<\/li>\n<li>A compromise of the legitimate npm package, \u00ab<a href=\"https:\/\/safedep.io\/malicious-npm-mgc-compromised-rat\/\">mgc<\/a>,\u00bb by means of an account takeover to push four malicious versions (1.2.1\u00a0through 1.2.4) containing a dropper script that detects the operating system and fetches a platform-specific payload \u2013 a Python trojan for Linux and a PowerShell variant for Windows called WAVESHAPER.V2\u00a0\u2013 from a GitHub Gist. The\u00a0attack shares direct overlap with the recent supply chain attack targeting Axios, which has been attributed to a North Korean threat cluster tracked as UNC1069.<\/li>\n<li>A malicious npm package named \u00ab<a href=\"https:\/\/safedep.io\/malicious-npm-package-express-session-js\/\">express-session-js<\/a>\u00bb that typosquats \u00abexpress-session\u00bb and contains a dropper that retrieves a next-stage remote access trojan (RAT) from JSON Keeper to conduct data theft and persistent access by connecting to \u00ab216.126.237[.]71\u00bb using the Socket.IO\u00a0library.<\/li>\n<li>A compromise of the legitimate PyPI package, \u00ab<a href=\"https:\/\/www.stepsecurity.io\/blog\/bittensor-wallet-4-0-2-compromised-on-pypi---backdoor-exfiltrates-private-keys\">bittensor-wallet<\/a>\u00bb (version 4.0.2), to deploy a backdoor that&#8217;s triggered during a wallet decryption operation to exfiltrate wallet keys using HTTPS, DNS tunneling, and Raw TLS as exfiltration channels to either a hard-coded domain or one created using a Domain Generation Algorithm (DGA) that&#8217;s rotated daily.<\/li>\n<li>A malicious PyPI package named \u00ab<a href=\"https:\/\/www.endorlabs.com\/learn\/malicious-pyronut-package-backdoors-telegram-bots-with-remote-code-execution\">pyronut<\/a>\u00bb that typosquats \u00abpyrogram,\u00bb a popular Python Telegram API framework, to embed a stealthy backdoor that&#8217;s triggered every time a Telegram client starts and seize control of the Telegram session and the underlying host system. \u00abThe backdoor registers hidden Telegram message handlers that allow two hardcoded attacker-controlled accounts to execute arbitrary Python code (via the \/e command and the meval library) and arbitrary shell commands (via the \/shell command and subprocess) on the victim&#8217;s machine,\u00bb Endor Labs said.<\/li>\n<li>A set of three malicious Microsoft Visual Studio Code (VS Code) extensions published by \u00ab<a href=\"https:\/\/www.stepsecurity.io\/blog\/malicious-iolitelabs-vscode-extensions-target-solidity-developers-on-windows-macos-and-linux-with-backdoor\">IoliteLabs<\/a>\u00bb \u2013 \u00absolidity-macos,\u00bb \u00absolidity-windows,\u00bb and \u00absolidity-linux\u00bb \u2013 that were originally dormant since 2018 but were updated on March 25, 2026, to launch a multi-stage backdoor targeting Windows and macOS systems upon launching the application to establish persistence. Collectively, the extensions had 27,500 installs prior to them being removed.<\/li>\n<li>Multiple versions of the \u00ab<a href=\"https:\/\/www.aikido.dev\/blog\/fast-draft-open-vsx-bloktrooper\">KhangNghiem\/fast-draft<\/a>\u00bb VS Code extension on Open VSX (0.10.89, 0.10.105, 0.10.106, and 0.10.112) that execute a GitHub-hosted downloader to deploy a second-stage Socket.IO\u00a0RAT, an information stealer, a file exfiltration module, and a clipboard monitor from a GitHub repository. Interestingly, versions 0.10.88, 0.10.111, and 0.10.129-135 have been found to be clean. \u00abThat is not the release pattern you expect from a single compromised build or a maintainer who has fully switched to malicious behavior,\u00bb Aikido said. \u00abIt looks more like two competing release streams sharing the same publisher identity.\u00bb<\/li>\n<\/ul>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fast-response-not-fast-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgi9mu68zRUz1nCLLKmkAA2aBtNfP_JOTXulZoB6yImso1Onk7oM_LI0kdROu8fq5S5oDyMtd1j50W44Ye_8Sl3zQZiE8A9tmFr6kejGKjGh74uoxluF-RyBq_unDQlzjXZHCqQeuYXBoogda5zf0w-zXd6v0rIM7fEw6TcFf_QGWBu5Mop-djkEaOUa5A\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>In\u00a0a report published in February 2026, Group-IB revealed that software supply chain attacks have become \u00abthe dominant force reshaping the global cyber threat landscape,\u00bb adding that threat actors are going after trusted vendors, open-source software, SaaS platforms, browser extensions, and managed service providers to gain inherited access to hundreds of downstream organizations.<\/p>\n<p>The\u00a0supply chain threat can rapidly escalate a single localized intrusion into\u00a0something that\u00a0has a large-scale, cross-border\u00a0impact, with\u00a0attackers industrializing supply chain compromises\u00a0and turning\u00a0it into a \u00abself-reinforcing\u00bb ecosystem, as it\u00a0offers reach, speed, and\u00a0stealth.<\/p>\n<p>\u00abPackage repositories such as npm and PyPI have become prime targets, stolen maintainer credentials, and automated malware worms to compromise widely used libraries \u2013 turning development pipelines into large-scale distribution channels for malicious code,\u00bb\u00a0Group-IB <a href=\"https:\/\/www.group-ib.com\/media-center\/press-releases\/htct-2026-supply-chain\/\">said<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Apr 05, 2026Malware \/ DevSecOps Cybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plugins but come with different payloads to&hellip;<\/p>\n","protected":false},"author":1,"featured_media":496,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[229,128,502,33,39,35,646,1074,1073],"class_list":["post-495","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-deploy","tag-exploited","tag-implants","tag-malicious","tag-npm","tag-packages","tag-persistent","tag-postgresql","tag-redis"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/495","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=495"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/495\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/496"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=495"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=495"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=495"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}