Executive Summary
In April 2026, cybersecurity researchers identified 36 malicious npm packages masquerading as Strapi CMS plugins. These packages exploited Redis and PostgreSQL databases to deploy reverse shells, harvest credentials, and establish persistent implants. The malicious code was embedded within the postinstall script hook, executing upon installation without user interaction, thereby compromising systems with root access in CI/CD environments and Docker containers. The attackers utilized various payloads, including remote code execution via Redis, Docker container escapes, and credential harvesting, indicating a sophisticated and evolving threat. This incident underscores the escalating risks associated with software supply chain attacks, particularly within open-source ecosystems. The attackers' ability to infiltrate widely-used package repositories highlights the urgent need for enhanced security measures in software development pipelines. Organizations are advised to audit their dependencies, implement strict access controls, and monitor for anomalous activities to mitigate such threats.
Why This Matters Now
The incident highlights the growing threat of supply chain attacks targeting open-source ecosystems, emphasizing the need for enhanced security measures in software development pipelines.
Attack Path Analysis
Attackers introduced malicious npm packages disguised as Strapi CMS plugins, leading to unauthorized code execution and credential harvesting. They exploited Redis and PostgreSQL databases to escalate privileges and move laterally within the environment. Reverse shells were deployed to establish command and control channels, facilitating data exfiltration and persistent implants.
Kill Chain Progression
Initial Compromise
Description
Attackers introduced 36 malicious npm packages disguised as Strapi CMS plugins, which, when installed, executed malicious code via the postinstall script hook.
Related CVEs
CVE-2024-46981
CVSS 9.8A specially crafted Lua script executing within Redis may be able to manipulate the Lua VM garbage collector, potentially leading to Remote Code Execution (RCE).
Affected Products:
Redis Redis – < 7.4.2
Exploit Status:
no public exploitCVE-2024-51737
CVSS 7An authenticated Redis user executing FT.SEARCH or FT.AGGREGATE with a specially crafted LIMIT command argument, or FT.SEARCH with a specially crafted KNN command argument, can trigger an integer overflow, leading to heap overflow and potential remote code execution.
Affected Products:
Redis RediSearch – < 2.10.10
Exploit Status:
no public exploitCVE-2024-51480
CVSS 7Executing TS.QUERYINDEX, TS.MGET, TS.MRANGE, or TS.MREVRANGE commands by an authenticated user, using specially crafted command arguments, may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution.
Affected Products:
Redis RedisTimeSeries – < 1.12.5
Exploit Status:
no public exploitCVE-2024-55656
CVSS 8.8Executing the CMS.INITBYDIM command by an authenticated user, using large WIDTH and DEPTH command arguments, may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution.
Affected Products:
Redis RedisBloom – < 2.8.5
Exploit Status:
no public exploitCVE-2025-21605
CVSS 7.5By default, the Redis configuration does not limit the output buffer. Therefore, the output buffer grows unlimitedly over time. As a result, the service is exhausted and the memory is unavailable.
Affected Products:
Redis Redis – < 7.4.2
Exploit Status:
no public exploitCVE-2025-46818
CVSS 7.3Redis versions 8.2.1 and below contain a vulnerability that allows an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user.
Affected Products:
Redis Redis – < 8.2.2
Exploit Status:
proof of conceptCVE-2025-46819
CVSS 7.1A medium-severity vulnerability in Redis allows an authenticated user to exploit a Lua scripting flaw, potentially leading to server crashes or data exposure.
Affected Products:
Redis Redis – < 8.2.2
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
User Execution: Malicious Library
Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Command and Scripting Interpreter: JavaScript
Process Injection: Dynamic-link Library Injection
Application Layer Protocol: Web Protocols
Valid Accounts: Local Accounts
OS Credential Dumping: LSASS Memory
Ingress Tool Transfer
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Supply Chain Risk Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Direct exposure to malicious npm packages targeting development workflows, with Redis/PostgreSQL exploitation threatening CI/CD pipelines and source code repositories.
Information Technology/IT
High risk from supply chain attacks exploiting database infrastructure, requiring enhanced egress security and zero trust segmentation for client environments.
Financial Services
Critical threat to transaction systems using Redis/PostgreSQL backends, demanding immediate PCI compliance controls and encrypted traffic monitoring for data protection.
Health Care / Life Sciences
Severe HIPAA compliance risk from database exploitation and credential harvesting, necessitating enhanced anomaly detection and multicloud visibility controls.
Sources
- 36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implantshttps://thehackernews.com/2026/04/36-malicious-npm-packages-exploited.htmlVerified
- Security Advisory: CVE-2024-46981, CVE-2024-51737, CVE-2024-51480, CVE-2024-55656https://redis.io/blog/security-advisory-cve-2024-46981-cve-2024-51737-cve-2024-51480-cve-2024-55656/Verified
- Security Advisory: CVE-2025-21605https://redis.io/blog/security-advisory-cve-2025-21605/Verified
- CVE-2025-46818: Redis vulnerability analysis and mitigationhttps://www.wiz.io/vulnerability-database/cve/cve-2025-46818Verified
- CVE-2025-46819: Medium Vulnerability in Redishttps://www.appsecure.security/vulnerability-database/cve-2025-46819/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlling east-west traffic within the cloud environment.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to execute malicious code through compromised packages would likely be constrained, reducing the risk of unauthorized code execution.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges through Redis exploitation would likely be constrained, reducing the risk of unauthorized access.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally through Docker escapes and database access would likely be constrained, reducing the risk of widespread system compromise.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish persistent command and control channels would likely be constrained, reducing the risk of sustained unauthorized access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing the risk of data loss.
The attacker's ability to maintain long-term access and cause further disruption would likely be constrained, reducing the risk of ongoing compromise.
Impact at a Glance
Affected Business Functions
- Content Management System (CMS)
- Database Management
- Web Application Services
Estimated downtime: 7 days
Estimated loss: $50,000
Potential exposure of sensitive user data and credentials stored within the CMS and associated databases.
Recommended Actions
Key Takeaways & Next Steps
- • Implement strict supply chain security measures to verify the integrity of third-party packages before deployment.
- • Utilize Zero Trust Segmentation to enforce least privilege access and prevent unauthorized lateral movement within the network.
- • Deploy East-West Traffic Security controls to monitor and restrict internal traffic, mitigating the risk of lateral movement.
- • Establish Egress Security & Policy Enforcement to control outbound traffic and prevent unauthorized data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to unusual activities indicative of compromise.
