36 bad npm packages used Redis and PostgreSQL to install permanent implants.

There are 36 harmful packages in the npm registry that cybersecurity experts have found This article explores harmful packages npm. . Each package has three files and looks like a mature Strapi v3 community plugin when you use version 3.6.8.

All of the packages that were found follow the same naming convention, which starts with "strapi-plugin-" Below is a list of how the payload has changed over the course of this campaign: To make a local Redis instance that can run code from a distance, add a crontab entry that downloads and runs a PHP web shell and a Node.js reverse shell script from an external server every minute. You can write shell payloads outside of the container by using Redis exploitation and escaping from a Docker container. Start a direct Python reverse shell on port 4444 and use Redis to add a trigger for a reverse shell to the node_modules directory of the app.

Run a credential harvester and reconnaissance payload to get environment dumps, extract Redis databases, map network topologies, get Docker/Kubernetes secrets, cryptographic keys, and cryptocurrency wallet files. This discovery fits with reports that say supply chain attacks on open-source software are becoming "the dominant force reshaping the global cyber threat landscape." Threat actors are using trusted vendors, open-source software, SaaS platforms, browser extensions, and managed service providers more and more to get into hundreds of other organizations.

"Package repositories like npm and PyPI are now prime targets for stolen maintainer credentials and automated malware worms to compromise widely used libraries," Group-IB said.

The report said that supply chain threats can quickly turn a small, localized breach into a large, cross-border incident. Attackers can do this by industrializing supply chain compromises and turning them into self-reinforcing ecosystems that offer reach, speed, and stealth. Group-IB put out the report, which is based on interviews with over 100 security experts and other experts from all over the world.

Visit www.group-IB.com for more.

"Package repositories like npm and PyPI are now prime targets for stolen maintainer credentials and automated malware worms to compromise widely used libraries," Group-IB said.

Visit www.group-IB.com for more.

36 bad npm packages used Redis and PostgreSQL to install permanent implants.

36 bad npm packages used Redis and PostgreSQL to install permanent implants.

Trending News

North Korean Hackers Compromise Popular Axios Package to Infect Windows, macOS, and Linux

North Korean Hackers Compromise Popular Axios Package to Infect Windows, macOS, and Linux

LinkedIn Hidden Code Secretly Searches Your Browser for Installed Extensions

LinkedIn Hidden Code Secretly Searches Your Browser for Installed Extensions

Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware

Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Anthropic Officially Terminates Claude Subscriptions Used by Tools Like OpenClaw

Anthropic Officially Terminates Claude Subscriptions Used by Tools Like OpenClaw

36 bad npm packages used Redis and PostgreSQL to install permanent implants.

36 bad npm packages used Redis and PostgreSQL to install permanent implants.

Six months of social engineering by the DPRK led to the $285 million Drift Hack.

Six months of social engineering by the DPRK led to the $285 million Drift Hack.

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Top 10 Best VPN For Chrome in 2026

Top 10 Best VPN For Chrome in 2026

Top 10 Best User Access Management Tools in 2026

Top 10 Best User Access Management Tools in 2026