Security experts have identified three dozen fake npm packages designed to mimic Strapi CMS plugins while secretly delivering malware like reverse shells and credential harvesters. These malicious tools exploit the installation process to gain unauthorized access to databases and persistent control over compromised systems.
Cybersecurity researchers recently uncovered a coordinated supply chain attack involving 36 fraudulent packages uploaded to the npm registry. These files are specifically engineered to impersonate legitimate Strapi CMS plugins, tricking developers into integrating them into their projects. Once installed, the packages deploy a variety of harmful payloads that can compromise PostgreSQL and Redis databases, steal sensitive credentials, or establish a persistent backdoor for long-term access.
To build a false sense of trust, the attackers utilized a consistent naming convention that mimics official naming patterns, using prefixes like strapi-plugin followed by common terms such as cron, database, or server. The malicious actors even set the version number of every package to 3.6.8 to make them appear like established, mature community tools. In reality, legitimate Strapi plugins are strictly organized under a specific scope, whereas these deceptive versions lacked any linked repositories, descriptions, or official documentation.
The campaign was executed rapidly over a thirteen-hour window by four distinct sock puppet accounts. These accounts systematically uploaded the tools to ensure maximum visibility within the registry. The list of fakes includes generic titles as well as more specific names like strapi-plugin-sitemap-gen and strapi-plugin-advanced-uuid, all designed to catch the eye of developers looking for quick functionality enhancements for their content management systems.
Technical analysis shows that the danger lies within the postinstall script hook included in every package. This script is automatically triggered the moment a user runs the install command, requiring no further manual interaction to activate the malware. This automated execution allows the malicious code to run immediately upon download, bypassing many standard security checks that only monitor the software during its active runtime.
Because the scripts run with the same privileges as the user performing the installation, they pose a significant risk to high-stakes environments. In many professional settings, this means the malware effectively gains root access within Docker containers or automated CI/CD pipelines. This level of permission allows the attackers to deeply embed their implants and move laterally through a network, potentially compromising entire development infrastructures.
Source: https://safedep.io/malicious-npm-strapi-plugin-events-c2-agent/