Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
36 Malicious npm Packages Exploit Databases for Persistent Access

36 Malicious npm Packages Exploit Databases for Persistent Access

Posted on April 5, 2026 By CWS

In a significant cybersecurity revelation, experts have identified 36 malicious packages within the npm registry. These packages masquerade as plugins for the Strapi CMS but are intended to exploit Redis and PostgreSQL databases. By deploying reverse shells, stealing credentials, and establishing persistent access, these packages pose a serious threat to unsuspecting developers.

Disguised Malicious Packages Unveiled

Each package contains three files—package.json, index.js, and postinstall.js—and mimics a mature Strapi plugin by using version 3.6.8. However, they lack any associated description or repository. The naming convention of these packages, which begins with “strapi-plugin-” followed by terms like “cron” or “database,” is designed to deceive developers into downloading them. These packages were uploaded by four sock puppet accounts within a 13-hour window, making them appear legitimate.

Exploitation Tactics and Payloads

The malicious code is embedded in the postinstall script hook, executing automatically during installation. This execution does not require user interaction and operates with the same privileges as the installer, potentially exploiting root access in CI/CD environments and Docker containers. The payloads evolve from exploiting Redis for remote code execution to deploying reverse shells and scanning for sensitive data.

Attackers utilized Redis to escape Docker containers, implemented reverse shells, and harvested PostgreSQL database credentials. They also conducted extensive reconnaissance, mapping network topologies, and extracting sensitive information like cryptocurrency wallet files. These actions suggest a targeted attack on cryptocurrency platforms.

Broader Supply Chain Threats

This discovery is part of a broader trend of supply chain attacks aimed at the open-source ecosystem. Other incidents include credential exfiltration via GitHub pull requests, hijacking of the “dev-protocol” organization for malicious bot distribution, and the compromise of npm and PyPI packages to deploy malware. These attacks highlight the vulnerability of software supply chains, with attackers leveraging trusted platforms to distribute malicious code.

The impact of these attacks is far-reaching, transforming single localized intrusions into global threats. As attackers continue to industrialize supply chain compromises, the threat landscape is rapidly evolving. Organizations need to be vigilant, ensuring constant monitoring and updating of their software dependencies.

Group-IB has noted that software supply chain attacks are reshaping the global cyber threat landscape. These attacks target trusted vendors and open-source platforms to gain widespread access, turning development pipelines into channels for distributing malicious code.

Conclusion and Recommendations

The emergence of these malicious npm packages emphasizes the need for heightened vigilance in software development. Developers and organizations should conduct thorough security audits and rotate credentials if they have used any of the affected packages. The ongoing trend of supply chain attacks calls for a proactive approach to cybersecurity, ensuring the integrity and security of software supply chains.

The Hacker News Tags:Cybersecurity, database exploitation, DevSecOps, Malware, NPM, persistent implants, PostgreSQL, Redis, Strapi CMS, supply chain attack

Post navigation

Previous Post: Node.js Developers Face Advanced Social Engineering Threat
Next Post: Fortinet Addresses Critical FortiClient EMS Vulnerability

Related Posts

Citrix Releases Emergency Patches for Actively Exploited CVE-2025-6543 in NetScaler ADC Citrix Releases Emergency Patches for Actively Exploited CVE-2025-6543 in NetScaler ADC The Hacker News
Microsoft Revokes 200 Fraudulent Certificates Used in Rhysida Ransomware Campaign Microsoft Revokes 200 Fraudulent Certificates Used in Rhysida Ransomware Campaign The Hacker News
WhatsApp 0-Day, Docker Bug, Salesforce Breach, Fake CAPTCHAs, Spyware App & More WhatsApp 0-Day, Docker Bug, Salesforce Breach, Fake CAPTCHAs, Spyware App & More The Hacker News
Cisco Warns of New Firewall Attack Exploiting CVE-2025-20333 and CVE-2025-20362 Cisco Warns of New Firewall Attack Exploiting CVE-2025-20333 and CVE-2025-20362 The Hacker News
SysAid Flaws Under Active Attack Enable Remote File Access and SSRF SysAid Flaws Under Active Attack Enable Remote File Access and SSRF The Hacker News
Blind Eagle’s Five Clusters Target Colombia Using RATs, Phishing Lures, and Dynamic DNS Infra Blind Eagle’s Five Clusters Target Colombia Using RATs, Phishing Lures, and Dynamic DNS Infra The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • AI Security Model Redeployment and Major Vulnerabilities
  • Flipper Zero Enhances Firmware Development Strategy
  • T3MP3ST Framework Transforms AI Into Security Pioneers
  • Microsoft Enhances Windows 11 OOBE with New Update
  • Government Pays $1M to Prevent Data Leak by Kairos Group

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • AI Security Model Redeployment and Major Vulnerabilities
  • Flipper Zero Enhances Firmware Development Strategy
  • T3MP3ST Framework Transforms AI Into Security Pioneers
  • Microsoft Enhances Windows 11 OOBE with New Update
  • Government Pays $1M to Prevent Data Leak by Kairos Group

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark