Security researchers have uncovered a campaign involving 36 malicious npm packages disguised as legitimate plugins, targeting developers and backend systems. These packages impersonated popular Strapi CMS plugins, making them appear safe and trustworthy to unsuspecting users.

Once installed, the packages deployed hidden payloads capable of exploiting services like Redis and PostgreSQL, opening reverse shells, stealing credentials, and installing persistent backdoors. This allowed attackers to gain long-term access to compromised environments.

What makes this campaign stand out is its sophistication. Instead of using a single method, attackers distributed multiple variants with different techniques, showing continuous development and adaptation.

This case highlights the growing risk of software supply chain attacks. Developers should always verify packages, review dependencies carefully, and avoid installing untrusted or unfamiliar plugins.

source: https://thehackernews.com/2026/04/36-malicious-npm-packages-exploited.html