Close Menu
    What's Hot

    Dividend Champion, Contender, And Challenger Highlights: Week Of July 19

    Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker, Lawyers Say Wrong Man

    Nike nearly ended an investigation into its DEI practices—until Trump took office

    Facebook X (Twitter) Instagram
    Trending
    • Dividend Champion, Contender, And Challenger Highlights: Week Of July 19
    • Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker, Lawyers Say Wrong Man
    • Nike nearly ended an investigation into its DEI practices—until Trump took office
    • Mullin Vows to Keep Up Immigration Arrests Even After ICE Shootings
    • In New York’s ‘Little Palestine’, fans cheer for Spain in World Cup final | World Cup 2026 News
    • Vertu wants executives to pay $6,880 for an AI agent — here’s how it actually performs
    • The Open 2026 tee times: Full R3 pairings and start times for third round of men’s major at Royal Birkdale | Golf News
    • QQQI Vs. QDVO: I Refuse To Choose (NASDAQ:QQQI)
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

    adminBy adminApril 5, 2026No Comments7 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Ravie LakshmananApr 05, 2026Malware / DevSecOps

    36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

    Cybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plugins but come with different payloads to facilitate Redis and PostgreSQL exploitation, deploy reverse shells, harvest credentials, and drop a persistent implant.

    “Every package contains three files (package.json, index.js, postinstall.js), has no description, repository, or homepage, and uses version 3.6.8 to appear as a mature Strapi v3 community plugin,” SafeDep said.

    All identified npm packages follow the same naming convention, starting with “strapi-plugin-” and then phrases like “cron,” “database,” or “server” to fool unsuspecting developers into downloading them. It’s worth noting that the official Strapi plugins are scoped under “@strapi/.”

    The packages, uploaded by four sock puppet accounts “umarbek1233,” “kekylf12,” “tikeqemif26,” and “umar_bektembiev1” over a period of 13 hours, are listed below –

    • strapi-plugin-cron
    • strapi-plugin-config
    • strapi-plugin-server
    • strapi-plugin-database
    • strapi-plugin-core
    • strapi-plugin-hooks
    • strapi-plugin-monitor
    • strapi-plugin-events
    • strapi-plugin-logger
    • strapi-plugin-health
    • strapi-plugin-sync
    • strapi-plugin-seed
    • strapi-plugin-locale
    • strapi-plugin-form
    • strapi-plugin-notify
    • strapi-plugin-api
    • strapi-plugin-sitemap-gen
    • strapi-plugin-nordica-tools
    • strapi-plugin-nordica-sync
    • strapi-plugin-nordica-cms
    • strapi-plugin-nordica-api
    • strapi-plugin-nordica-recon
    • strapi-plugin-nordica-stage
    • strapi-plugin-nordica-vhost
    • strapi-plugin-nordica-deep
    • strapi-plugin-nordica-lite
    • strapi-plugin-nordica
    • strapi-plugin-finseven
    • strapi-plugin-hextest
    • strapi-plugin-cms-tools
    • strapi-plugin-content-sync
    • strapi-plugin-debug-tools
    • strapi-plugin-health-check
    • strapi-plugin-guardarian-ext
    • strapi-plugin-advanced-uuid
    • strapi-plugin-blurhash 

    An analysis of the packages reveals that the malicious code is embedded within the postinstall script hook, which gets executed on “npm install” without requiring any user interaction. It runs with the same privileges as those of the installing user, meaning it abuses root access within CI/CD environments and Docker containers.

    Cybersecurity

    The evolution of the payloads distributed as part of the campaign is as follows –

    • Weaponize a locally accessible Redis instance for remote code execution by injecting a crontab (aka cron table) entry to download and execute a shell script from a remote server every minute. The shell script writes a PHP web shell and Node.js reverse shell via SSH to Strapi’s public uploads directory. It also attempts to scan the disk for secrets (e.g., Elasticsearch and cryptocurrency wallet seed phrases) and exfiltrate a Guardarian API module.
    • Combine Redis exploitation with Docker container escape to write shell payloads to the host outside the container. It also launches a direct Python reverse shell on port 4444 and writes a reverse shell trigger into the application’s node_modules directory via Redis.
    • Deploy a reverse shell and write a shell downloader via Redis and execute the resulting file.
    • Scan the system for environment variables and PostgreSQL database connection strings.
    • An expanded credential harvester and reconnaissance payload to gather environment dumps, Strapi configurations, Redis database extraction by running the INFO, DBSIZE, and KEYS commands, network topology mapping, and Docker/Kubernetes secrets, cryptographic keys, and cryptocurrency wallet files.
    • Conduct PostgreSQL database exploitation by connecting to the target’s PostgreSQL database using hard-coded credentials and querying Strapi-specific tables for secrets. It also dumps matching cryptocurrency-related patterns (e.g., wallet, transaction, deposit, withdraw, hot, cold, and balance) and attempts to connect to six Guardarian databases. This indicates that the threat actor is already in possession of the data, obtained either via a prior compromise or through some other means.
    • Deploy a persistent implant designed to maintain remote access to a specific hostname (“prod-strapi”).
    • Facilitate credential theft by scanning hard-coded paths and spawning a persistent reverse shell.

    “The eight payloads show a clear narrative: the attacker started aggressively (Redis RCE, Docker escape), found those approaches weren’t working, pivoted to reconnaissance and data collection, used hardcoded credentials for direct database access, and finally settled on persistent access with targeted credential theft,” SafeDep said.

    The nature of the payloads, combined with the focus on digital assets and the use of hard-coded database credentials and hostname, raises the possibility that the campaign was a targeted attack against a cryptocurrency platform. Users who have installed any of the aforementioned packages are advised to assume compromise and rotate all credentials.

    The discovery coincides with the discovery of several supply chain attacks targeting the open-source ecosystem –

    • A GitHub account named “ezmtebo” has submitted over 256 pull requests across various open-source repositories containing a credential exfiltration payload. “It steals secrets through CI logs and PR comments, injects temporary workflows to dump secret values, auto-applies labels to bypass pull_request_target gates, and runs a background /proc scanner for 10 minutes after the main script exits,” SafeDep said.
    • A hijack of “dev-protocol,” a verified GitHub organization, to distribute malicious Polymarket trading bots with typosquatted npm dependencies (“ts-bign” and “levex-refa” or “big-nunber” and “lint-builder”) that steal wallet private keys, exfiltrate sensitive files, and open an SSH backdoor on the victim’s machine. While “levex-refa” functions as a credential stealer, “lint-builder” installs the SSH backdoor. Both “ts-bign” and “big-nunber” are designed to deliver “levex-refa” and “lint-builder,” respectively, as a transitive dependency.
    • A compromise of the popular Emacs package, “kubernetes-el/kubernetes-el,” that exploited the Pwn Request vulnerability in its GitHub Actions workflow by using the pull_request_target trigger to steal the repository’s GITHUB_TOKEN, exfiltrate CI/CD secrets, deface the repository, and inject destructive code to delete nearly all repository files.
    • A compromise of the legitimate “xygeni/xygeni-action” GitHub Actions workflow using stolen maintainer credentials to plant a reverse shell backdoor. Xygeni has since implemented new security controls to address the incident.
    • A compromise of the legitimate npm package, “mgc,” by means of an account takeover to push four malicious versions (1.2.1 through 1.2.4) containing a dropper script that detects the operating system and fetches a platform-specific payload – a Python trojan for Linux and a PowerShell variant for Windows called WAVESHAPER.V2 – from a GitHub Gist. The attack shares direct overlap with the recent supply chain attack targeting Axios, which has been attributed to a North Korean threat cluster tracked as UNC1069.
    • A malicious npm package named “express-session-js” that typosquats “express-session” and contains a dropper that retrieves a next-stage remote access trojan (RAT) from JSON Keeper to conduct data theft and persistent access by connecting to “216.126.237[.]71” using the Socket.IO library.
    • A compromise of the legitimate PyPI package, “bittensor-wallet” (version 4.0.2), to deploy a backdoor that’s triggered during a wallet decryption operation to exfiltrate wallet keys using HTTPS, DNS tunneling, and Raw TLS as exfiltration channels to either a hard-coded domain or one created using a Domain Generation Algorithm (DGA) that’s rotated daily.
    • A malicious PyPI package named “pyronut” that typosquats “pyrogram,” a popular Python Telegram API framework, to embed a stealthy backdoor that’s triggered every time a Telegram client starts and seize control of the Telegram session and the underlying host system. “The backdoor registers hidden Telegram message handlers that allow two hardcoded attacker-controlled accounts to execute arbitrary Python code (via the /e command and the meval library) and arbitrary shell commands (via the /shell command and subprocess) on the victim’s machine,” Endor Labs said.
    • A set of three malicious Microsoft Visual Studio Code (VS Code) extensions published by “IoliteLabs” – “solidity-macos,” “solidity-windows,” and “solidity-linux” – that were originally dormant since 2018 but were updated on March 25, 2026, to launch a multi-stage backdoor targeting Windows and macOS systems upon launching the application to establish persistence. Collectively, the extensions had 27,500 installs prior to them being removed.
    • Multiple versions of the “KhangNghiem/fast-draft” VS Code extension on Open VSX (0.10.89, 0.10.105, 0.10.106, and 0.10.112) that execute a GitHub-hosted downloader to deploy a second-stage Socket.IO RAT, an information stealer, a file exfiltration module, and a clipboard monitor from a GitHub repository. Interestingly, versions 0.10.88, 0.10.111, and 0.10.129-135 have been found to be clean. “That is not the release pattern you expect from a single compromised build or a maintainer who has fully switched to malicious behavior,” Aikido said. “It looks more like two competing release streams sharing the same publisher identity.”
    Cybersecurity

    In a report published in February 2026, Group-IB revealed that software supply chain attacks have become “the dominant force reshaping the global cyber threat landscape,” adding that threat actors are going after trusted vendors, open-source software, SaaS platforms, browser extensions, and managed service providers to gain inherited access to hundreds of downstream organizations.

    The supply chain threat can rapidly escalate a single localized intrusion into something that has a large-scale, cross-border impact, with attackers industrializing supply chain compromises and turning it into a “self-reinforcing” ecosystem, as it offers reach, speed, and stealth.

    “Package repositories such as npm and PyPI have become prime targets, stolen maintainer credentials, and automated malware worms to compromise widely used libraries – turning development pipelines into large-scale distribution channels for malicious code,” Group-IB said

    deploy Exploited Implants malicious npm Packages persistent PostgreSQL Redis
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleGucci Mane was allegedly kidnapped by Pooh Shiesty over a music label dispute. What happens to the recording contract now?
    Next Article What’s it like watching Dan Hurley lead UConn to the title game
    admin
    • Website

    Related Posts

    Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker, Lawyers Say Wrong Man

    July 18, 2026

    GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft

    July 18, 2026

    OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests

    July 18, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Dividend Champion, Contender, And Challenger Highlights: Week Of July 19

    Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker, Lawyers Say Wrong Man

    Nike nearly ended an investigation into its DEI practices—until Trump took office

    Mullin Vows to Keep Up Immigration Arrests Even After ICE Shootings

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by