Malicious npm Packages Exploit Strapi CMS, Compromise Credentials

Malicious npm Packages Exploit Strapi CMS, Compromise Credentials

First seen 6 Apr 2026, 22:13 UTC LinkedinScworld 73% similarity 66.9

Article Content

Browse articles
ThreatCluster

Researchers from SafeDep have identified 36 malicious npm packages disguised as Strapi CMS plugins, which facilitate Redis and PostgreSQL exploitation, reverse shell injections, and credential harvesting. These packages employ a postinstall script hook to execute malicious code without user interaction, allowing attackers to exploit local Redis instances for remote code execution. The attacks involve scanning for hardcoded credentials and secrets, ultimately leading to persistent implant deployment. This incident highlights the growing trend of software supply chain attacks, with npm and other package repositories being primary targets. Concurrently, the exploitation of React2Shell (CVE-2025-55182) has been reported, affecting at least 766 hosts across various cloud providers. The threat group UAT-10608 is attributed to this campaign, which automates the theft of sensitive credentials. The recent budget cuts proposed for CISA may impact the agency's ability to respond to such threats effectively.

Key Points: • 36 malicious npm packages impersonate Strapi CMS plugins to exploit vulnerabilities. • Attacks utilize postinstall scripts for remote code execution and credential harvesting. • At least 766 hosts compromised in a separate React2Shell exploitation campaign.

ThreatCluster AI

Timeline

2025-12-03
CVE-2025-55182 published
2025-12-05
CVE-2025-55182 added to CISA KEV (active exploitation)
2025-12-16
First public PoC for CVE-2025-55182
2026-04-04
CVE-2026-35616 published
2026-04-06
CVE-2026-35616 added to CISA KEV (active exploitation)
Recent
Discovery of 36 malicious npm packages

Community

Browse all →