36 Malicious npm Packages Disguised as Strapi Plugins Deployed Backdoors and Stole Credentials

SafeDep researchers discovered 36 malicious packages in the npm registry disguised as Strapi CMS community plugins. The campaign combined Redis and PostgreSQL exploitation, Docker container escape, persistent implant installation, and theft of credentials, CI/CD secrets, and cryptocurrency wallet keys. All packages follow the same naming pattern starting with "strapi-plugin-" followed by common terms like "cron", "database", "server", or "health". The critical detail: official Strapi plugins use the "@strapi/" scope. The malicious packages have no scope. A single character difference that's easy to miss. The packages were uploaded by four sock puppet accounts in a window of just 13 hours, indicating deliberate coordination to maximize downloads before detection. ## How the Attack Works The malicious code is embedded in the postinstall script, which executes automatically on "npm install" with no user interaction required, running with the same privileges as the installing user, meaning it frequently operates as root in CI/CD pipelines and Docker containers. The campaign evolved through at least eight payload variants, revealing an adaptive strategy. Early versions weaponized locally accessible Redis instances for remote code execution by injecting crontab entries to download and execute shell scripts every minute. Later variants combined Redis exploitation with Docker container escape to write payloads directly to the host, launched Python reverse shells on port 4444, and pivoted to reconnaissance when aggressive approaches failed. The most revealing phase was direct PostgreSQL exploitation using hard-coded credentials to access Strapi-specific tables and extract cryptocurrency-related patterns. The use of hard-coded credentials suggests the attackers already had prior access to the target's data. This raises the possibility it was a targeted attack against a specific cryptocurrency platform rather than a broad opportunistic operation. The discovery coincides with multiple other supply chain attacks: 256+ malicious pull requests from a single GitHub account, compromised npm and PyPI packages attributed to North Korean threat cluster UNC1069, and dormant VS Code extensions updated with multi-stage backdoors. Group-IB's February 2026 report described supply chain attacks as "the dominant force reshaping the global cyber threat landscape." Anyone who installed any of the 36 packages should assume compromise and rotate all credentials immediately.