Malicious npm Packages Deploy Persistent Implants in Redis & PostgreSQL Environments

A newly discovered supply-chain campaign introduced 36 malicious npm packages across multiple versions disguised as Strapi plugins, designed to target Redis and PostgreSQL instances accessible within runtime environments, including localhost, to extract credentials, execute commands and deploy persistent implants. The packages used post-install execution, which runs with installer privileges in CI/CD pipelines and container environments, to harvest credentials, retrieve remote payloads, deploy reverse shells and establish long-term access across compromised systems.

This campaign reinforces a growing pattern: attackers are targeting trusted developer workflows and exploiting runtime execution paths rather than relying on traditional vulnerabilities.

What Happened

Security researchers identified 36 malicious npm packages across multiple versions masquerading as Strapi CMS plugins. Each package used postinstall scripts to execute malicious payloads automatically during installation.

The packages followed a consistent structure:

• Minimal metadata, lacking repository or homepage signals to avoid scrutiny. 
• postinstall.js execution during installation.
• Payloads targeting Redis and PostgreSQL.
• Reverse shell deployment and credential harvesting.

The packages also used unscoped names designed to resemble legitimate Strapi plugins, despite not being affiliated with official Strapi packages.

Researchers also observed multiple payload variants, suggesting an evolving campaign where attackers experimented with different techniques before settling on persistent access and credential theft.

Malicious Packages Identified

Researchers identified 36 malicious npm packages across multiple versions impersonating Strapi plugins. The packages were uploaded over a 13-hour period by four sock puppet accounts: umarbek1233, kekylf12, tikeqemif26 and umar_bektembiev1.

Why This Matters

This attack highlights several concerning trends:

1. Install-Time Execution: Malicious code executed automatically during npm install, running with installer privileges across developer machines, CI/CD pipelines and containerized environments.
2. Remote Payload Delivery: Attackers retrieved payloads from external infrastructure, allowing them to update behavior without modifying packages.
3. Database-Focused Targeting: Attackers targeted Redis and PostgreSQL instances accessible within runtime environments, including localhost configurations.
4. Persistent Implants: Later payloads focused on long-term persistence rather than immediate disruption.
5. Evolving Attack Strategy: Researchers identified eight distinct payload variations, indicating active development and refinement during the campaign.

Attack Behavior Observed

Researchers reported the following behaviors:

• Runtime execution during install phase.
• Environment reconnaissance and environment-aware execution.
• Credential harvesting from Redis and PostgreSQL.
• Database credential reuse and potential lateral movement. 
• Reverse shell deployment.
• Command-and-control (C2) communication.
• Remote payload retrieval and execution.
• Persistent implant installation.
  

These behaviors suggest elements of targeted behavior alongside opportunistic compromise, with attackers adapting techniques based on accessible infrastructure.

Why This Pattern Is Increasing

Recent supply-chain attacks show a consistent pattern: attackers are increasingly targeting trusted developer workflows, install-time execution paths and runtime behavior rather than relying only on traditional software vulnerabilities. This campaign follows the same pattern seen across recent supply-chain attacks:

• Trusted package impersonation.
• Install-time execution.
• Credential harvesting.
• Persistence and lateral movement.

Rather than exploiting vulnerabilities, attackers are targeting how applications are built and deployed. Since installation occurs within trusted build workflows, compromised packages can impact developer environments, CI/CD pipelines and containerized deployments simultaneously. 

What to Do Now

If your organization uses npm:

• Audit dependencies for suspicious Strapi plugins.
• Review installation logs for unexpected execution.
• Rotate database credentials.
• Monitor outbound connections.
• Restrict install-time script execution where possible.

Organizations should also validate what actually executes at runtime, not just what appears in dependency manifests.

The Bigger Picture

Supply-chain attacks are increasingly shifting toward runtime execution and persistence. This campaign demonstrates how a single malicious dependency can escalate from installation to database access and long-term compromise.

As attackers move closer to execution paths, prioritizing runtime visibility and validating what actually runs in production becomes critical.

References

1. Ravie Lakshmanan. April 5, 2026. 36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants. The Hacker News‍
2. SafeDep. April 3, 2026. Thirty-Six Malicious npm Strapi Packages Deploy Redis RCE, Database Theft, and Persistent C2. SafeDep