Malicious npm Packages Exploit Strapi CMS, Compromise Credentials

Severity: High (Score: 66.9)

Sources: Linkedin, Scworld

Summary

Researchers from SafeDep have identified 36 malicious npm packages disguised as Strapi CMS plugins, which facilitate Redis and PostgreSQL exploitation, reverse shell injections, and credential harvesting. These packages employ a postinstall script hook to execute malicious code without user interaction, allowing attackers to exploit local Redis instances for remote code execution. The attacks involve scanning for hardcoded credentials and secrets, ultimately leading to persistent implant deployment. This incident highlights the growing trend of software supply chain attacks, with npm and other package repositories being primary targets. Concurrently, the exploitation of React2Shell (CVE-2025-55182) has been reported, affecting at least 766 hosts across various cloud providers. The threat group UAT-10608 is attributed to this campaign, which automates the theft of sensitive credentials. The recent budget cuts proposed for CISA may impact the agency's ability to respond to such threats effectively. Key Points: • 36 malicious npm packages impersonate Strapi CMS plugins to exploit vulnerabilities. • Attacks utilize postinstall scripts for remote code execution and credential harvesting. • At least 766 hosts compromised in a separate React2Shell exploitation campaign.

Key Entities

• Malware (attack_type)
• Supply Chain Attack (attack_type)
• CVE-2025-55182 (cve)
• CVE-2026-35616 (cve)
• europa.eu (domain)
• T1195 - Supply Chain Compromise (mitre_attack)
• Docker (tool)
• PostgreSQL (platform)
• Redis (platform)
• Strapi (platform)