{"id":202356,"date":"2026-04-05T01:07:00","date_gmt":"2026-04-05T05:07:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/04\/05\/36-malicious-npm-packages-exploited-redis-postgresql-to-deploy-persistent-implants\/"},"modified":"2026-04-05T05:30:13","modified_gmt":"2026-04-05T09:30:13","slug":"36-malicious-npm-packages-exploited-redis-postgresql-to-deploy-persistent-implants","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/04\/05\/36-malicious-npm-packages-exploited-redis-postgresql-to-deploy-persistent-implants\/","title":{"rendered":"36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants"},"content":{"rendered":"

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/04\/36-malicious-npm-packages-exploited.html<\/a><\/p>\n

Publish Date: 2026-04-05 01:07:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points.
\n\ue804Ravie Lakshmanan\ue802Apr 05, 2026Malware \/ DevSecOps
\nCybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plugins but come with different payloads to facilitate Redis and PostgreSQL exploitation, deploy reverse shells, harvest credentials, and drop a persistent\u00a0implant.
\n“Every package contains three files (package.json, index.js, postinstall.js), has no description, repository, or homepage, and uses version 3.6.8\u00a0to appear as a mature Strapi v3 community plugin,”\u00a0SafeDep said.
\nAll\u00a0identified npm packages follow the same naming convention, starting with “strapi-plugin-” and then phrases like “cron,” “database,” or “server” to fool unsuspecting developers into downloading them. It’s worth noting that the official Strapi plugins are scoped under “@strapi\/.”
\nThe\u00a0packages, uploaded by four sock puppet accounts “umarbek1233,” “kekylf12,” “tikeqemif26,” and “umar_bektembiev1” over a period of 13 hours, are listed below\u00a0–<\/p>\n

strapi-plugin-cron
\nstrapi-plugin-config
\nstrapi-plugin-server
\nstrapi-plugin-database
\nstrapi-plugin-core
\nstrapi-plugin-hooks
\nstrapi-plugin-monitor
\nstrapi-plugin-events
\nstrapi-plugin-logger
\nstrapi-plugin-health
\nstrapi-plugin-sync
\nstrapi-plugin-seed
\nstrapi-plugin-locale
\nstrapi-plugin-form
\nstrapi-plugin-notify
\nstrapi-plugin-api
\nstrapi-plugin-sitemap-gen
\nstrapi-plugin-nordica-tools
\nstrapi-plugin-nordica-sync
\nstrapi-plugin-nordica-cms
\nstrapi-plugin-nordica-api
\nstrapi-plugin-nordica-recon
\nstrapi-plugin-nordica-stage
\nstrapi-plugin-nordica-vhost
\nstrapi-plugin-nordica-deep
\nstrapi-plugin-nordica-lite
\nstrapi-plugin-nordica
\nstrapi-plugin-finseven
\nstrapi-plugin-hextest
\nstrapi-plugin-cms-tools
\nstrapi-plugin-content-sync
\nstrapi-plugin-debug-tools
\nstrapi-plugin-health-check
\nstrapi-plugin-guardarian-ext
\nstrapi-plugin-advanced-uuid
\nstrapi-plugin-blurhash\u00a0<\/p>\n

An\u00a0analysis of the packages reveals that the malicious code is embedded within the postinstall script hook, which gets executed on “npm install” without requiring any user interaction. It\u00a0runs with the same privileges as those of the installing user, meaning it abuses root access within CI\/CD environments and Docker containers.<\/p>\n

The\u00a0evolution of the payloads distributed as part of the campaign is as follows\u00a0–<\/p>\n

Weaponize a locally accessible Redis instance for remote code execution by injecting a crontab (aka cron table) entry to download and execute a shell script from a remote server every minute. The\u00a0shell script writes a PHP web shell and Node.js\u00a0reverse shell via SSH to Strapi’s public uploads directory. It\u00a0also attempts to scan the disk for secrets (e.g., Elasticsearch and cryptocurrency wallet seed phrases) and exfiltrate a Guardarian API module.
\nCombine Redis exploitation with Docker container escape to write shell payloads to the host outside the container. It\u00a0also launches a direct Python reverse shell on port 4444 and writes a reverse shell trigger into the application\u2019s node_modules directory via Redis.
\nDeploy a reverse shell and write a shell downloader via Redis and execute the resulting file.
\nScan the system for environment variables and PostgreSQL database connection strings.
\nAn expanded credential harvester and reconnaissance payload to gather environment dumps, Strapi configurations, Redis database extraction by running the INFO, DBSIZE, and KEYS commands, network topology mapping, and Docker\/Kubernetes secrets, cryptographic keys, and cryptocurrency wallet files.
\nConduct PostgreSQL database exploitation by connecting to the target’s PostgreSQL database using hard-coded credentials and querying Strapi-specific tables for secrets. It\u00a0also dumps matching cryptocurrency-related patterns (e.g., wallet, transaction, deposit, withdraw, hot, cold, and balance) and attempts to connect to six Guardarian databases. This\u00a0indicates that the threat actor is already in possession of the data, obtained either via a prior compromise or through some other means.
\nDeploy a persistent implant designed to maintain remote access to a specific hostname (“prod-strapi”).
\nFacilitate credential theft by scanning hard-coded paths and spawning a persistent reverse shell.<\/p>\n

“The eight payloads show a clear narrative: the attacker started aggressively (Redis RCE, Docker escape), found those approaches weren’t working, pivoted to reconnaissance and data collection, used hardcoded credentials for direct database access, and finally settled on persistent access with targeted credential theft,” SafeDep\u00a0said.
\nThe\u00a0nature of the payloads, combined with the focus on digital assets and the use of hard-coded database credentials and hostname, raises the possibility that the campaign was a targeted attack against a cryptocurrency platform. Users\u00a0who have installed any of the aforementioned packages are advised to assume compromise and rotate all credentials.
\nThe\u00a0discovery coincides with the discovery of several supply chain attacks targeting the open-source ecosystem\u00a0–<\/p>\n

A GitHub account named “ezmtebo” has submitted over 256 pull requests across various open-source repositories containing a credential exfiltration payload. “It steals secrets through CI logs and PR comments, injects temporary workflows to dump secret values, auto-applies labels to bypass pull_request_target gates, and runs a background \/proc scanner for 10 minutes after the main script exits,” SafeDep said.
\nA hijack of “dev-protocol,” a verified GitHub organization, to distribute malicious Polymarket trading bots with typosquatted npm dependencies (“ts-bign” and “levex-refa” or “big-nunber” and “lint-builder”) that steal wallet private keys, exfiltrate sensitive files, and open an SSH backdoor on the victim’s machine. While\u00a0“levex-refa” functions as a credential stealer, “lint-builder” installs the SSH backdoor. Both\u00a0“ts-bign” and “big-nunber” are designed to deliver “levex-refa” and “lint-builder,” respectively, as a transitive dependency.
\nA compromise of the popular Emacs package, “kubernetes-el\/kubernetes-el,” that exploited the Pwn Request vulnerability in its GitHub Actions workflow by using the pull_request_target trigger to steal the repository’s GITHUB_TOKEN, exfiltrate CI\/CD secrets, deface the repository, and inject destructive code to delete nearly all repository files.
\nA compromise of the legitimate “xygeni\/xygeni-action” GitHub Actions workflow using stolen maintainer credentials to plant a reverse shell backdoor. Xygeni\u00a0has since implemented new security controls to address the incident.
\nA compromise of the legitimate npm package, “mgc,” by means of an account takeover to push four malicious versions (1.2.1\u00a0through 1.2.4) containing a dropper script that detects the operating system and fetches a platform-specific payload \u2013 a Python trojan for Linux and a PowerShell variant for Windows called WAVESHAPER.V2\u00a0\u2013 from a GitHub Gist. The\u00a0attack shares direct overlap with the recent supply chain attack targeting Axios, which has been attributed to a North Korean threat cluster tracked as UNC1069.
\nA malicious npm package named “express-session-js” that typosquats “express-session” and contains a dropper that retrieves a next-stage remote access trojan (RAT) from JSON Keeper to conduct data theft and persistent access by connecting to “216.126.237[.]71” using the Socket.IO\u00a0library.
\nA compromise of the legitimate PyPI package, “bittensor-wallet” (version 4.0.2), to deploy a backdoor that’s triggered during a wallet decryption operation to exfiltrate wallet keys using HTTPS, DNS tunneling, and Raw TLS as exfiltration channels to either a hard-coded domain or one created using a Domain Generation Algorithm (DGA) that’s rotated daily.
\nA malicious PyPI package named “pyronut” that typosquats “pyrogram,” a popular Python Telegram API framework, to embed a stealthy backdoor that’s triggered every time a Telegram client starts and seize control of the Telegram session and the underlying host system. “The backdoor registers hidden Telegram message handlers that allow two hardcoded attacker-controlled accounts to execute arbitrary Python code (via the \/e command and the meval library) and arbitrary shell commands (via the \/shell command and subprocess) on the victim’s machine,” Endor Labs said.
\nA set of three malicious Microsoft Visual Studio Code (VS Code) extensions published by “IoliteLabs” \u2013 “solidity-macos,” “solidity-windows,” and “solidity-linux” \u2013 that were originally dormant since 2018 but were updated on March 25, 2026, to launch a multi-stage backdoor targeting Windows and macOS systems upon launching the application to establish persistence. Collectively, the extensions had 27,500 installs prior to them being removed.
\nMultiple versions of the “KhangNghiem\/fast-draft” VS Code extension on Open VSX (0.10.89, 0.10.105, 0.10.106, and 0.10.112) that execute a GitHub-hosted downloader to deploy a second-stage Socket.IO\u00a0RAT, an information stealer, a file exfiltration module, and a clipboard monitor from a GitHub repository. Interestingly, versions 0.10.88, 0.10.111, and 0.10.129-135 have been found to be clean. “That is not the release pattern you expect from a single compromised build or a maintainer who has fully switched to malicious behavior,” Aikido said. “It looks more like two competing release streams sharing the same publisher identity.”<\/p>\n

In\u00a0a report published in February 2026, Group-IB revealed that software supply chain attacks have become “the dominant force reshaping the global cyber threat landscape,” adding that threat actors are going after trusted vendors, open-source software, SaaS platforms, browser extensions, and managed service providers to gain inherited access to hundreds of downstream organizations.
\nThe\u00a0supply chain threat can rapidly escalate a single localized intrusion into\u00a0something that\u00a0has a large-scale, cross-border\u00a0impact, with\u00a0attackers industrializing supply chain compromises\u00a0and turning\u00a0it into a “self-reinforcing” ecosystem, as it\u00a0offers reach, speed, and\u00a0stealth.
\n“Package repositories such as npm and PyPI have become prime targets, stolen maintainer credentials, and automated malware worms to compromise widely used libraries \u2013 turning development pipelines into large-scale distribution channels for malicious code,”\u00a0Group-IB said<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants https:\/\/thehackernews.com\/2026\/04\/36-malicious-npm-packages-exploited.html Publish Date: 2026-04-05…<\/p>\n","protected":false},"author":1,"featured_media":202357,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg9axxKrcvcFkL99SIB2AlrcEW2RIZ1Ff8PollH7XYSWrYSOgoPXKlF5rsdgyr9BSWVUa5oP07faI_DvxNyUk_rpuz5i2xuiEdlU-e929rCWpkLjDGRs4EBjzfBWQRJVtrWNtR-EKvWsR-PPO-Yfei5ONMyumlI12R7OHmIrsyzJtB5SJRTCSuKiyJQnTfK\/s1600\/database.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32,34,27],"class_list":["post-202356","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/202356"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=202356"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/202356\/revisions"}],"predecessor-version":[{"id":202358,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/202356\/revisions\/202358"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/202357"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=202356"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=202356"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=202356"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}