Malicious Strapi npm plugin steals secrets and opens C2

TL;DR — The strapi-plugin-form npm package is malware: its postinstall steals secrets and establishes a polling C2 channel that can execute attacker-provided shell commands.

What happened

Strapi is a Node.js headless CMS; its plugin ecosystem commonly flows through npm dependencies in application repos and build pipelines. OSV published MAL-2026-2462 for strapi-plugin-form, describing it as a malicious package disguised as a Strapi plugin that runs on install. (osv.dev)

Per OSV, the postinstall payload performs a multi-stage collection of .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology, then starts a polling C2 loop that can accept and execute arbitrary shell commands. (osv.dev)

SafeDep’s analysis links strapi-plugin-form to a broader campaign of Strapi-themed malicious packages published from multiple sock-puppet npm accounts, suggesting an active, iterating software supply-chain operation (not a one-off “oops” package). The practical risk is high because install-time malware runs inside developer workstations and CI/CD runners where high-value secrets (cloud creds, signing keys, deploy tokens) are routinely present. (safedep.io)

Who is impacted

• Any environment that installed strapi-plugin-form from npm (developer machines, CI runners, or production build hosts).
• OSV marks the affected range as introduced at 0 (i.e., all versions of the package are considered affected/malicious).

(osv.dev)

What to do now

• Identify exposure: search org-wide lockfiles, artifacts, and build logs for strapi-plugin-form, then remove it from dependency manifests.
• Treat execution as a compromise event; SafeDep’s guidance is explicit:

  • "If you installed any of these ten packages, assume full compromise."

• Rotate secrets reachable from affected hosts (API keys, database passwords, JWT secrets, Kubernetes service account tokens, and private keys) and review downstream systems those credentials can access.
• Hunt for persistence and postinstall artifacts called out by SafeDep (example file paths: /tmp/.node_gc.js, /tmp/vps_shell.sh, /tmp/redis_exec.sh, /app/public/uploads/shell.php; example network indicator: outbound connections to 144.31.107.231). (safedep.io)
• Add supply-chain guardrails: restrict Strapi plugins to an allowlist, require dependency pinning/review for newly introduced packages, and consider install-time package blocking/attestation in CI for npm dependencies. (safedep.io)

Additional Information

• OSV record / import source: MAL-2026-2462 (strapi-plugin-form). (osv.dev)
• SafeDep’s campaign write-up (“Thirty-Six Malicious npm Strapi Packages…”), including the publisher accounts it attributes to the operation: umarbek1233, kekylf12, tikeqemif26, and umar_bektembiev1. (safedep.io)