Malicious npm Packages Disguised as Strapi Plugins Enable Data Exfiltration and Remote Code Execution

Introduction & Threat Overview Right now, as you read this, a malicious actor is actively poisoning the Strapi plugin ecosystem with npm packages designed to infiltrate, exfiltrate, and execute. The latest drop? strapi-plugin-events—version 3.6.8—a package crafted to mimic legitimate community plugins like strapi-plugin-comments and strapi-plugin-upload. It’s not just a theoretical threat; it’s live, operational, and targeting developers who trust the npm ecosystem implicitly. Here’s how it works: Upon npm install, the package triggers an 11-phase attack chain requiring zero user interaction. It systematically: Steals sensitive files: Scans for .env files, extracts JWT secrets, and grabs database credentials. Mechanically, it parses the file system, identifies these files by pattern matching, and exfiltrates their contents via an encrypted channel. Dumps critical infrastructure secrets: Extracts Redis keys, Docker and Kubernetes secrets, and private keys. This is achieved by queryi