36 fake Strapi plugins on npm deploy persistent implants
Four sock-puppet npm accounts (umarbek1233, kekylf12, tikeqemif26, umar_bektembiev1) uploaded 36 packages over a ~13-hour window impersonating Strapi CMS plugins. Payload evolution moved through 8 variants targeting Redis RCE with cron injection, Docker container escapes, PostgreSQL exploitation on hosts named prod-strapi, Python reverse shells on port 4444, and SSH-key backdoors.
- Detected by
- SafeDep
- Ecosystems
- npm
- Packages tracked
- 36
What happened
SafeDep researchers identified a coordinated burst of 36 malicious npm packages uploaded over a ~13-hour window by four sock-puppet accounts: umarbek1233, kekylf12, tikeqemif26, and umar_bektembiev1. Every package is named strapi-plugin-* to ride the trust developers place in the Strapi headless-CMS plugin ecosystem.
Payloads evolved through eight distinct variants over the campaign, suggesting the operator iterated in real time:
- Redis RCE via cron-job injection on reachable Redis instances.
- Docker container escapes targeting mounted sockets.
- PostgreSQL exploitation gated on hostnames matching
prod-strapi. - Python reverse shells phoning home to port
4444/tcp. - SSH-key backdoors for long-term persistence.
- Crypto wallet file enumeration across the host filesystem.
The hard-coded prod-strapi hostname check and the wallet-enumeration logic point to a targeted cryptocurrency platform rather than opportunistic theft, although SafeDep stopped short of naming a specific victim. Because Strapi plugin names follow a permissive strapi-plugin-* convention with no scope enforcement, anyone publishing to npm can squat plausible-looking names — make plugin provenance verification a hard requirement in CI.
Affected packages (36)
- npm
strapi-plugin-advanced-uuid - npm
strapi-plugin-api - npm
strapi-plugin-blurhash - npm
strapi-plugin-cms-tools - npm
strapi-plugin-config - npm
strapi-plugin-content-sync - npm
strapi-plugin-core - npm
strapi-plugin-cron - npm
strapi-plugin-database - npm
strapi-plugin-debug-tools - npm
strapi-plugin-events - npm
strapi-plugin-finseven - npm
strapi-plugin-form - npm
strapi-plugin-guardarian-ext - npm
strapi-plugin-health - npm
strapi-plugin-health-check - npm
strapi-plugin-hextest - npm
strapi-plugin-hooks - npm
strapi-plugin-locale - npm
strapi-plugin-logger - npm
strapi-plugin-monitor - npm
strapi-plugin-nordica - npm
strapi-plugin-nordica-api - npm
strapi-plugin-nordica-cms - npm
strapi-plugin-nordica-deep - npm
strapi-plugin-nordica-lite - npm
strapi-plugin-nordica-recon - npm
strapi-plugin-nordica-stage - npm
strapi-plugin-nordica-sync - npm
strapi-plugin-nordica-tools - npm
strapi-plugin-nordica-vhost - npm
strapi-plugin-notify - npm
strapi-plugin-seed - npm
strapi-plugin-server - npm
strapi-plugin-sitemap-gen - npm
strapi-plugin-sync
Impact
- Production Strapi CMS hosts and surrounding Redis/PostgreSQL instances at risk
- Container escape and SSH-based persistent implants
- Crypto wallet file enumeration on compromised hosts
What to do
- 1Remove any
strapi-plugin-*package not from the official@strapiscope or known maintainers - 2Audit Strapi production hosts for unauthorised cron entries and Redis writes
- 3Block outbound 4444/tcp from build and CMS hosts
- 4Validate plugin provenance before installation in CI