36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

Sunday, April 5, 2026 at 05:07 AM UTC·Source: The Hacker News

Updated: Monday, April 6, 2026 at 12:17 AM UTC

Executive Summary

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plugins but come with different payloads to facilitate Redis and PostgreSQL exploitation, deploy reverse shells, harvest credentials, and drop a persistent implant. "Every package contains three files (package.json, index.js, postinstall.js), has no description, repository,

Analysis

Source Attribution

Originally published by The Hacker News on Apr 5, 2026.

Related Threats

MEDIUMSupply Chain

Mercor Breach Linked to LiteLLM Supply-Chain Attack

<img src="https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/articles/mercor-breach-linked-to-litellm-supply-chain-attack-image_small-1-a-31340.jpg" align=right hspace=4><b>AI Dependency Attack Reportedly Exposes Data and Source Code</b><br>A LiteLLM supply-chain compromise enabled attackers to harvest credentials and access internal environments at scale at Mercor. The firm was the first to confirm

2h agoBank Info Security

MEDIUMSupply Chain

Axios npm hack used fake Teams error fix to hijack maintainer account

The maintainers of the popular Axios HTTP client have published a detailed post-mortem describing how one of its developers was targeted by a social engineering campaign believed to have been conducted by North Korean threat actors. [...]

1d agoBleepingComputer

MEDIUMSupply Chain

Do not get high(jacked) off your own supply (chain)

In the span of just a few weeks, we have observed a dizzying array of major supply chain attacks. If we are all building on such shaky foundation, what can we do to keep safe?

2d agoCisco Talos