Feed
HighPublished 15 Apr 202636 packages · 0 versions

36 fake Strapi plugins on npm deploy persistent implants

Summary

Four sock-puppet npm accounts (umarbek1233, kekylf12, tikeqemif26, umar_bektembiev1) uploaded 36 packages over a ~13-hour window impersonating Strapi CMS plugins. Payload evolution moved through 8 variants targeting Redis RCE with cron injection, Docker container escapes, PostgreSQL exploitation on hosts named prod-strapi, Python reverse shells on port 4444, and SSH-key backdoors.

typosquatci-cd-compromisecredential-theftcrypto-wallet-drain
Detected by
SafeDep
Ecosystems
npm
Packages tracked
36

What happened

SafeDep researchers identified a coordinated burst of 36 malicious npm packages uploaded over a ~13-hour window by four sock-puppet accounts: umarbek1233, kekylf12, tikeqemif26, and umar_bektembiev1. Every package is named strapi-plugin-* to ride the trust developers place in the Strapi headless-CMS plugin ecosystem.

Payloads evolved through eight distinct variants over the campaign, suggesting the operator iterated in real time:

  • Redis RCE via cron-job injection on reachable Redis instances.
  • Docker container escapes targeting mounted sockets.
  • PostgreSQL exploitation gated on hostnames matching prod-strapi.
  • Python reverse shells phoning home to port 4444/tcp.
  • SSH-key backdoors for long-term persistence.
  • Crypto wallet file enumeration across the host filesystem.

The hard-coded prod-strapi hostname check and the wallet-enumeration logic point to a targeted cryptocurrency platform rather than opportunistic theft, although SafeDep stopped short of naming a specific victim. Because Strapi plugin names follow a permissive strapi-plugin-* convention with no scope enforcement, anyone publishing to npm can squat plausible-looking names — make plugin provenance verification a hard requirement in CI.

Affected packages (36)

  • npmstrapi-plugin-advanced-uuid
  • npmstrapi-plugin-api
  • npmstrapi-plugin-blurhash
  • npmstrapi-plugin-cms-tools
  • npmstrapi-plugin-config
  • npmstrapi-plugin-content-sync
  • npmstrapi-plugin-core
  • npmstrapi-plugin-cron
  • npmstrapi-plugin-database
  • npmstrapi-plugin-debug-tools
  • npmstrapi-plugin-events
  • npmstrapi-plugin-finseven
  • npmstrapi-plugin-form
  • npmstrapi-plugin-guardarian-ext
  • npmstrapi-plugin-health
  • npmstrapi-plugin-health-check
  • npmstrapi-plugin-hextest
  • npmstrapi-plugin-hooks
  • npmstrapi-plugin-locale
  • npmstrapi-plugin-logger
  • npmstrapi-plugin-monitor
  • npmstrapi-plugin-nordica
  • npmstrapi-plugin-nordica-api
  • npmstrapi-plugin-nordica-cms
  • npmstrapi-plugin-nordica-deep
  • npmstrapi-plugin-nordica-lite
  • npmstrapi-plugin-nordica-recon
  • npmstrapi-plugin-nordica-stage
  • npmstrapi-plugin-nordica-sync
  • npmstrapi-plugin-nordica-tools
  • npmstrapi-plugin-nordica-vhost
  • npmstrapi-plugin-notify
  • npmstrapi-plugin-seed
  • npmstrapi-plugin-server
  • npmstrapi-plugin-sitemap-gen
  • npmstrapi-plugin-sync

Impact

  • Production Strapi CMS hosts and surrounding Redis/PostgreSQL instances at risk
  • Container escape and SSH-based persistent implants
  • Crypto wallet file enumeration on compromised hosts

What to do

  1. 1Remove any strapi-plugin-* package not from the official @strapi scope or known maintainers
  2. 2Audit Strapi production hosts for unauthorised cron entries and Redis writes
  3. 3Block outbound 4444/tcp from build and CMS hosts
  4. 4Validate plugin provenance before installation in CI

References

npm-2026-04-15-strapi-plugins