The npm code repository is again being used by a bad actor to launch a supply chain attack that includes three dozen malicious packages that appear as Strapi CMS plugins but deliver a range of threats.
Strapi is a popular open source headless Node.js content management system developers use to build, manage, and expose content through REST or GraphQL APIs while using a range of front-end frameworks, like React, Next.js, and Vue. Capabilities that make it attractive include a customizable administrator panel and flexibility in databases developers can use.
According to researchers with cybersecurity vendor SafeDep, the 36 malicious packages were published using four npm accounts, with varying numbers of packages in each account.
“Contrary to what you might expect from a package-spam campaign, the analyzed packages carry different payloads — eight distinct variants in total — revealing a real-time attack development session against a specific target,” researchers with cybersecurity vendor SafeDep wrote in a report. “This campaign is a rare window into an attacker’s real-time development process. Over 13 hours, the operator published ten packages with eight distinct payloads, each iteration responding to what was likely working (or not) against their target.”
Multiple Threats
The payloads carry a range of threats with them, from Redis remote code execution (RCE) and PostgreSQL exploitation to Docker and Kubernetes container escape, credential harvesting – such as passwords, SSH private keys, and cryptocurrency wallet information – persistence, and Python reverse shell deployment.
“Every package contains three files (package.json, index.js, postinstall.js), has no description, repository, or homepage, and uses version 3.6.8 to appear as a mature Strapi v3 community plugin,” the researchers wrote. “The package names follow the naming convention used by legitimate packages like strapi-plugin-comments or strapi-plugin-upload. All official Strapi plugins are scoped under @strapi/, making these unscoped names a social engineering choice targeting developers searching for community plugins.”
The attacker’s malicious code is found in the postinstall file script, which is different for each package. It is executed on “npm install” through the postinstall script, without any interaction from the user being needed. It includes the privileges for the installing user, which in CI/CD environments and Docker containers means root access.
Guardarian is the Target
The campaign appears to target Guardarian, a European Union-based cryptocurrency gateway that allows users to buy, sell, and swipe more than 1,000 cryptocurrencies. From the first payload onward, Guardarian references are found.
This confirmed that “this was a targeted campaign against a cryptocurrency payment platform from the very beginning — not an opportunistic spray that became targeted over time,” they wrote. “The hardcoded database password in Payload 6 proves this is not the attacker’s first interaction with the target’s infrastructure.”
Multiple Packages Over 13 Hours
The SafeDep researchers were able to track the packages published over a 13-hour period. The first hour involved the two payloads that came with Redis RCE exploitation, with crontab injection, SSH key injection, and other capabilities.
That was followed over the intervening hours by payloads with simplified direct reverse shells and then reconnaissance to collect credentials and secrets for future use, direct database exploitation using hardcoded PostgreSQL credentials to grab Strapi data, probing for Guardarian payment.
Hours 10 through 13 were focused on persistent access, with the bad actor switching to a second npm account and deploying persistent implants and armed with the target’s hostname, CI/CD pipeline, and secrets directory layout.
“The eight payloads show a clear narrative: the attacker started aggressive (Redis RCE, Docker escape), found those approaches weren’t working, pivoted to reconnaissance and data collection, used hardcoded credentials for direct database access, and finally settled on persistent access with targeted credential theft,” they wrote.
Rotate Credentials
Developers who installed any of the malicious packages need to assume they’ve been compromised and rotate credentials – database passwords, API keys, JWT secrets, and private keys, among others — that are stored on their system.
The campaign is only the latest in a growing trend of dropping malicious packages into code repositories to initiate supply chain attacks. Sonatype researchers wrote that throughout last year, they identified more than 454,600 such malicious packages, bringing the total of known and blocked malware to more than 1.233 million packages not only in npm but also PyPI, Maven Central, NuGet, and Hugging Face.
“This year, we observed that the evolution of open source malware crystallized, evolving from spam and stunts into sustained, industrialized campaigns against the people and tooling that build software,” they wrote, adding that both the scale and sophistication of the threat grew in 2025.
More than 99% of open source malware last year was found on npm. State-linked threat actors like North Korea’s Lazarus Group was able to plant five-stage payload chains that included droppers, credential theft, and persistent remote access, while Shai-Hulud “proved that open source malware can now propagate autonomously through open source ecosystems,” they wrote.