36 Fake npm Packages Hijacked Strapi to Plant Persistent Backdoors

A Developer Runs One Command. The Attacker Gets a Foothold.

Thirty-six malicious packages were discovered inside the npm registry, each one disguised as a legitimate Strapi CMS plugin. According to researchers who analysed the campaign (reported by The Hacker News, April 2026), every package followed the same three-file structure: package.json, index.js, and postinstall.js. None had a description. None had a linked repository. All of them contained hidden payloads. The moment a developer ran npm install, the postinstall.js script fired. That single, routine command — something developers execute dozens of times a day — was enough to trigger Redis and PostgreSQL exploitation, deploy a reverse shell back to attacker-controlled infrastructure, harvest local credentials, and drop a persistent implant that survived reboots. This is the supply chain attack model at its most effective: hide in plain sight, weaponise trust, and let the victim's own build process do the heavy lifting.

What Did These Packages Actually Do?

Each package in the campaign served multiple functions simultaneously, which is what makes this attack particularly well-engineered. Rather than focusing on a single payload, the attackers layered their capabilities. First, the packages probed and exploited Redis and PostgreSQL services running on the victim's machine or accessible on the local network. Databases that developers expose locally — often with weak or default credentials during development — became entry points into broader infrastructure. Second, a reverse shell connected the compromised machine to the attacker's command-and-control server. Unlike a traditional exploit that pushes commands in, a reverse shell pulls the connection out from the victim's network. This bypasses most inbound firewall rules because the traffic originates from inside the perimeter. Think of it like a burglar convincing someone inside the building to open the door from within, rather than forcing the lock from outside. Third, credentials stored on the machine — environment variables, configuration files, SSH keys, API tokens — were harvested and exfiltrated. Finally, a persistent implant was written to the system, ensuring the attacker retained access even after the malicious package was identified and removed. Removing the package does not remove the implant. That distinction matters enormously for incident response.

• Redis and PostgreSQL services exploited, particularly those running with weak or default local credentials
• Reverse shell deployed outbound to attacker infrastructure, bypassing inbound firewall rules
• Credentials harvested: environment variables, config files, API tokens, and SSH keys
• Persistent implant dropped separately from the package, surviving package removal and system reboots

Why Strapi? Why npm? Why Now?

Strapi is a widely used open-source headless CMS, popular across development teams building APIs and content-driven applications. Its plugin ecosystem is active, and developers regularly pull in community-built packages to extend functionality. That trust in the ecosystem is exactly what attackers are exploiting. The npm registry hosts over 2.5 million packages (npm, 2024), and while the registry's security team works to remove malicious packages, the volume of new uploads makes rapid detection difficult. Attackers have studied this gap. By mimicking the naming conventions of legitimate Strapi plugins — package names that look plausible at a glance — they increase the odds that a time-pressured developer installs their package without scrutiny. This is not the first campaign of this type. In 2023, researchers identified hundreds of malicious packages mimicking popular libraries across npm, PyPI, and RubyGems in what security researchers now call 'dependency confusion' and 'typosquatting' attacks. The 36-package Strapi campaign is a continuation of that trend, not an anomaly. What has changed is the sophistication. Earlier campaigns often deployed simple information stealers. This campaign deployed a multi-stage attack chain with persistence, credential harvesting, and database exploitation built in from the start. The attacker invested time in engineering this properly.

How Does This Affect UK and New Zealand Development Teams?

Any organisation with developers using npm is exposed to this attack class. That covers a wide range of businesses: digital agencies, SaaS companies, fintech firms, internal development teams, and managed service providers who build tooling for clients. For UK businesses, the risk sits at the intersection of developer workflow and enterprise security. Development environments are frequently less monitored than production systems. Developers have broad local access — they need it to do their jobs. When a malicious package lands in a dev environment, it often has access to internal network resources, staging databases, and credential stores that connect to production systems. For New Zealand and Australian teams, the same logic applies. Strapi is widely adopted across the APAC region for API-driven development projects. The timezone gap between NZ-based teams and European threat intelligence sources means that by the time an alert surfaces locally, packages may already have been installed. The deeper issue is that most endpoint security tools are not designed to monitor the npm install lifecycle. A developer installing a package looks identical to a legitimate build process from the outside. Without visibility into what scripts execute post-install, the attack is effectively invisible to traditional security controls.

What Security Controls Should Have Been in Place?

This attack succeeded in environments where several controls were absent or insufficient. Each gap is addressable. First, third-party package risk. Security teams need visibility into the packages their developers are pulling in. Tools that assess the risk profile of open-source dependencies — checking for the presence of descriptions, linked repositories, maintainer history, and download volumes — would flag these packages before installation. Thirty-six packages with no description and no repository should trigger an immediate alert. Panorays, which Kyanite Blue offers for third-party and supply chain risk management, addresses the vendor risk dimension of this problem — assessing the security posture of the software supply chain rather than just traditional third-party vendors. Learn more at /products/panorays. Second, data exfiltration prevention. Once the reverse shell established an outbound connection and credentials began leaving the network, that was a data exfiltration event. BlackFog is built to detect and block precisely this type of outbound data theft — monitoring for unauthorised data leaving the network and stopping it before exfiltration completes, even when the exfiltration is disguised as normal traffic. Details at /products/blackfog. Third, attack surface monitoring. Development machines and internal network services like Redis and PostgreSQL are part of your attack surface. If those services are exposed — even locally — without proper authentication, they represent a live vulnerability. Hadrian's continuous attack surface management identifies exactly these kinds of exposed services before attackers find them. See /products/hadrian. Fourth, endpoint detection. On the endpoint side, the deployment of a reverse shell and the writing of a persistent implant are behavioural indicators that next-generation endpoint protection should catch. For UK teams, Coro provides unified endpoint protection that monitors for these behavioural patterns. For New Zealand and Australian teams, ESET's enterprise endpoint protection offers the same depth of coverage for the APAC market. Find the right fit at /products/coro or /products/eset. Fifth, network-level detection. Sophos MDR provides 24/7 managed detection and response, meaning that even if an implant lands undetected, the outbound reverse shell connection and subsequent command-and-control traffic are caught by human analysts monitoring network telemetry around the clock. /products/sophos.

What Developers and Security Teams Should Do Right Now

If your organisation uses npm — particularly in projects involving Strapi — there are immediate steps worth taking. Audit your installed packages. Run npm list and cross-reference any Strapi-related plugins against the official Strapi plugin marketplace. Any package installed from npm that is not in the official registry should be treated with suspicion. Check your postinstall scripts. Run npm install with the --ignore-scripts flag in environments where you cannot vet every package. This prevents postinstall.js scripts from executing automatically. Review your database exposure. Redis and PostgreSQL instances that are accessible on localhost or the local network without authentication are a known attack target. Apply authentication, restrict binding addresses, and audit access logs. Assume compromise if in doubt. If any developer in your team installed a suspicious Strapi package in the past few months, assume the implant may already be present. Incident response starts with isolating the affected machine, not just removing the package. Train your developers. Security awareness is not just for end users. Developers make high-impact decisions about what code runs in your environment every day. Package selection is a security decision.

• Audit all installed npm packages, especially those related to Strapi or CMS plugins
• Use npm install --ignore-scripts in environments where you cannot vet postinstall scripts
• Apply authentication to all local Redis and PostgreSQL instances and restrict network binding
• Treat any suspicious historical install as a potential active compromise — not just a historical event
• Build package vetting into your development workflow as a standard security control

How to Protect Your Business

This campaign is a clear demonstration that the software supply chain is now a primary attack vector. Attackers are not waiting to find a zero-day in your perimeter firewall. They are hiding in packages your developers choose to trust. Kyanite Blue works with businesses across the UK, New Zealand, and Australia to address exactly these kinds of multi-stage, supply chain-enabled attacks. Here is how specific tools in our stack map directly to the threat this campaign represents: BlackFog stops data exfiltration at the point it happens. When a reverse shell begins sending credential data outbound, BlackFog identifies the unauthorised data movement and blocks it — regardless of how the attacker got in. This is the last line of defence against the campaign's credential harvesting and exfiltration stages. Check your current data exfiltration exposure at /data-exfiltration-risk — it takes two minutes. Hadrian continuously scans your attack surface for exposed services like Redis and PostgreSQL. If those services are reachable without authentication, Hadrian surfaces them before an attacker does. /products/hadrian Panorays extends supply chain risk management beyond traditional vendors to include software and open-source dependencies — critical for any organisation that builds or depends on development pipelines. /products/panorays For endpoint detection and response, UK teams should look at Coro (/products/coro) and NZ/AU teams at ESET (/products/eset). Both detect the behavioural indicators this campaign generates: suspicious script execution, reverse shell establishment, and persistence mechanisms. Sophos MDR provides the 24/7 human-in-the-loop monitoring that catches what automated tools miss — particularly the post-compromise command-and-control traffic that indicates an implant is active. /products/sophos If you want an honest view of where your business stands against this type of attack, talk to our team. We offer a no-obligation security assessment that maps your current posture against threats like this one. Get in touch at /contact.

Frequently Asked Questions