36 Malicious npm Packages Disguised as Strapi Plugins Exploit Redis and PostgreSQL for Persistent Access
Researchers discovered 36 malicious npm packages disguised as Strapi CMS plugins that abuse Redis and PostgreSQL connections to deploy persistent backdoor impl…
Published on MyPrivateClaw
Apr 5, 2026, 8:11 AM UTC
Coverage date
Apr 5, 2026
Last updated
Apr 5, 2026, 8:32 AM UTC
News summary
Security researchers reported on April 5, 2026 that 36 malicious npm packages disguised as legitimate Strapi CMS plugins had been published to the npm registry. The packages used postinstall scripts — code that runs automatically when a package is installed via npm install — to connect to Redis and PostgreSQL instances already running on the victim's system, exfiltrate stored credentials and data, and install persistent backdoor implants that survive package removal. The attack is notable for its use of existing infrastructure rather than outbound command and control servers. By connecting to Redis and PostgreSQL via localhost, the malicious packages avoided network level detection: the traffic appeared to be normal inter process communication rather than suspicious outbound connections. The packages were named to closely resemble legitimate Strapi ecosystem packages, targeting develope…