36 malicious npm packages masquerading as Strapi CMS plugins discovered by SafeDep. All named strapi-plugin-* to mimic real community plugins, all versioned 3.6.8 to appear mature. Four sock puppet accounts uploaded them. The packages exploit Redis and PostgreSQL, deploy reverse shells, harvest credentials, and install persistent implants. The real Strapi plugins are scoped under @strapi/ — a naming convention difference most developers wouldnt catch.

Source: https://thehackernews.com/2026/04/36-malicious-npm-packages-exploited.html