36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

2026-04-05

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

This article covers the discovery of 36 malicious npm packages disguised as Strapi CMS plugins that deployed persistent implants and harvested credentials.

•All packages followed the naming convention "strapi-plugin-" and used version 3.6.8 to appear as legitimate Strapi v3 community plugins.
•Malicious code was embedded in the postinstall script hook, executing automatically on "npm install" with the installing user's privileges.
•Attack payloads evolved across 8 stages: Redis RCE via crontab injection, Docker container escape, reverse shell deployment, PostgreSQL exploitation using hard-coded credentials, and persistent implant installation.
•Payloads targeted cryptocurrency-related data including wallet files, transaction records, and Guardarian API modules, suggesting a targeted attack on a cryptocurrency platform.

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation

April 05, 2026

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

April 04, 2026