{"id":231349,"date":"2026-04-05T01:07:00","date_gmt":"2026-04-05T05:07:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/05\/36-malicious-npm-packages-exploited-redis-postgresql-to-deploy-persistent-implants\/"},"modified":"2026-04-05T05:05:08","modified_gmt":"2026-04-05T09:05:08","slug":"36-malicious-npm-packages-exploited-redis-postgresql-to-deploy-persistent-implants","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/05\/36-malicious-npm-packages-exploited-redis-postgresql-to-deploy-persistent-implants\/","title":{"rendered":"36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/36-malicious-npm-packages-exploited.html\">36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/36-malicious-npm-packages-exploited.html\">https:\/\/thehackernews.com\/2026\/04\/36-malicious-npm-packages-exploited.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-04-05 01:07:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">Apr 05, 2026<\/span><\/span><span class=\"p-tags\">Malware \/ DevSecOps<\/span><\/p>\n<p>Cybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plugins but come with different payloads to facilitate Redis and PostgreSQL exploitation, deploy reverse shells, harvest credentials, and drop a persistent\u00a0implant.<\/p>\n<p>&#8220;Every package contains three files (package.json, index.js, postinstall.js), has no description, repository, or homepage, and uses version 3.6.8\u00a0to appear as a mature Strapi v3 community plugin,&#8221;\u00a0SafeDep said.<\/p>\n<p>All\u00a0identified npm packages follow the same naming convention, starting with &#8220;strapi-plugin-&#8221; and then phrases like &#8220;cron,&#8221; &#8220;database,&#8221; or &#8220;server&#8221; to fool unsuspecting developers into downloading them. It&#8217;s worth noting that the official Strapi plugins are scoped under &#8220;@strapi\/.&#8221;<\/p>\n<p>The\u00a0packages, uploaded by four sock puppet accounts &#8220;umarbek1233,&#8221; &#8220;kekylf12,&#8221; &#8220;tikeqemif26,&#8221; and &#8220;umar_bektembiev1&#8221; over a period of 13 hours, are listed below\u00a0&#8211;<\/p>\n<ul>\n<li>strapi-plugin-cron<\/li>\n<li>strapi-plugin-config<\/li>\n<li>strapi-plugin-server<\/li>\n<li>strapi-plugin-database<\/li>\n<li>strapi-plugin-core<\/li>\n<li>strapi-plugin-hooks<\/li>\n<li>strapi-plugin-monitor<\/li>\n<li>strapi-plugin-events<\/li>\n<li>strapi-plugin-logger<\/li>\n<li>strapi-plugin-health<\/li>\n<li>strapi-plugin-sync<\/li>\n<li>strapi-plugin-seed<\/li>\n<li>strapi-plugin-locale<\/li>\n<li>strapi-plugin-form<\/li>\n<li>strapi-plugin-notify<\/li>\n<li>strapi-plugin-api<\/li>\n<li>strapi-plugin-sitemap-gen<\/li>\n<li>strapi-plugin-nordica-tools<\/li>\n<li>strapi-plugin-nordica-sync<\/li>\n<li>strapi-plugin-nordica-cms<\/li>\n<li>strapi-plugin-nordica-api<\/li>\n<li>strapi-plugin-nordica-recon<\/li>\n<li>strapi-plugin-nordica-stage<\/li>\n<li>strapi-plugin-nordica-vhost<\/li>\n<li>strapi-plugin-nordica-deep<\/li>\n<li>strapi-plugin-nordica-lite<\/li>\n<li>strapi-plugin-nordica<\/li>\n<li>strapi-plugin-finseven<\/li>\n<li>strapi-plugin-hextest<\/li>\n<li>strapi-plugin-cms-tools<\/li>\n<li>strapi-plugin-content-sync<\/li>\n<li>strapi-plugin-debug-tools<\/li>\n<li>strapi-plugin-health-check<\/li>\n<li>strapi-plugin-guardarian-ext<\/li>\n<li>strapi-plugin-advanced-uuid<\/li>\n<li>strapi-plugin-blurhash\u00a0<\/li>\n<\/ul>\n<p>An\u00a0analysis of the packages reveals that the malicious code is embedded within the postinstall script hook, which gets executed on &#8220;npm&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/36-malicious-npm-packages-exploited.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants https:\/\/thehackernews.com\/2026\/04\/36-malicious-npm-packages-exploited.html Publish Date: 2026-04-05&#8230;<\/p>\n","protected":false},"author":1,"featured_media":231350,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg9axxKrcvcFkL99SIB2AlrcEW2RIZ1Ff8PollH7XYSWrYSOgoPXKlF5rsdgyr9BSWVUa5oP07faI_DvxNyUk_rpuz5i2xuiEdlU-e929rCWpkLjDGRs4EBjzfBWQRJVtrWNtR-EKvWsR-PPO-Yfei5ONMyumlI12R7OHmIrsyzJtB5SJRTCSuKiyJQnTfK\/s1600\/database.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32],"class_list":["post-231349","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/231349"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=231349"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/231349\/revisions"}],"predecessor-version":[{"id":231351,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/231349\/revisions\/231351"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/231350"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=231349"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=231349"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=231349"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}