Security Briefing April 5, 2026 ยท 9 min read

36 Malicious npm Strapi Packages Target Crypto Platforms, React2Shell Harvests 766 Hosts, North Korea Hijacks Axios via Social Engineering

The npm ecosystem is under triple siege: 36 fake Strapi plugins deploy persistent implants targeting cryptocurrency platforms via Redis and PostgreSQL exploitation. Automated React2Shell campaigns harvest credentials from 766 hosts in 24 hours. North Korean hackers social-engineer an Axios maintainer through a fake Microsoft Teams error. Meanwhile, a TrueConf zero-day targets Asian governments, and Apple expands DarkSword exploit protections.


๐Ÿ“ฆ 36 Malicious npm Strapi Packages Deploy Persistent Implants Targeting Crypto Platforms

๐Ÿ”ด CRITICAL โ€” Supply Chain Attack With Database Exploitation and Credential Theft

SafeDep has identified 36 malicious npm packages disguised as Strapi CMS plugins that exploit Redis and PostgreSQL databases, deploy reverse shells, and harvest cryptocurrency secrets. Evidence suggests a targeted attack against a specific crypto platform.

SafeDep has discovered 36 malicious packages in the npm registry, all masquerading as legitimate Strapi v3 community plugins. The packages follow a naming convention starting with strapi-plugin- โ€” while official Strapi plugins use the scoped @strapi/ namespace.

How the Attack Works

Payload Evolution

The campaign shows a clear progression from aggressive exploitation to targeted persistence:

The use of hard-coded database credentials and hostname targeting strongly suggests the attacker had prior access to the target environment โ€” likely through an earlier compromise. Four sock puppet npm accounts uploaded all 36 packages in a single 13-hour window.

Action: Audit all Strapi plugin dependencies. Ensure you're using scoped @strapi/ packages only. If any of the 36 listed packages are installed, consider the system fully compromised โ€” rotate all credentials, database access tokens, and cryptocurrency wallet keys immediately.


๐ŸŒ React2Shell Automated Campaign Harvests Credentials From 766 Hosts in 24 Hours

๐Ÿ”ด CRITICAL โ€” CVE-2025-55182 Mass Exploitation With Automated Secret Exfiltration

Cisco Talos documents threat cluster UAT-10608 operating an automated credential harvesting framework that compromised 766 hosts by exploiting React2Shell in vulnerable Next.js applications.

Cisco Talos has published a detailed analysis of UAT-10608, a threat cluster running an industrial-scale credential harvesting operation via the React2Shell vulnerability (CVE-2025-55182) in Next.js applications.

The NEXUS Listener Framework

Researchers gained access to an exposed instance of the attacker's NEXUS Listener command-and-control platform, revealing the full scope of operations:

The stolen credentials enable cloud account takeover, supply chain attacks, lateral movement via SSH keys, and database access including payment systems. Affected organizations also face regulatory exposure from privacy law violations.

Action: Patch Next.js immediately for CVE-2025-55182. Audit server-side data exposure. Rotate all credentials if compromise is suspected. Enforce AWS IMDSv2, replace reused SSH keys, enable secret scanning, and deploy WAF/RASP protections for Next.js applications.


๐Ÿ‡ฐ๐Ÿ‡ต North Korean Hackers Hijack Axios npm Package via Social Engineering

๐ŸŸ  HIGH โ€” Supply Chain Attack via Maintainer Social Engineering

North Korean threat group UNC1069 compromised the Axios npm package by social-engineering the lead maintainer through a fake Microsoft Teams error, distributing a RAT to macOS, Windows, and Linux systems.

The maintainers of Axios, one of the most popular HTTP client libraries in the JavaScript ecosystem, have published a detailed post-mortem revealing how North Korean hackers infiltrated their project.

The Social Engineering Chain

  1. Fake company impersonation โ€” attackers cloned a legitimate company's branding, including founders' likenesses, and created a convincing Slack workspace with staged channels and fake profiles of employees and other OSS maintainers
  2. Microsoft Teams meeting โ€” the lead maintainer was invited to a scheduled call that appeared to include numerous participants
  3. Fake Teams error โ€” during the call, a technical error prompted the maintainer to install an "update" โ€” actually a RAT (WAVESHAPER.V2)
  4. Credential theft โ€” the RAT gave attackers remote access to the maintainer's device, allowing them to obtain npm credentials
  5. Malicious versions published โ€” Axios versions 1.14.1 and 0.30.4 were pushed with a dependency (plain-crypto-js) containing a cross-platform RAT

Google Threat Intelligence Group attributes the attack to UNC1069, a financially motivated North Korean threat actor active since 2018. The malicious versions were live for approximately three hours before removal.

Action: Check for Axios versions 1.14.1 or 0.30.4 in any project. If installed during the exposure window, consider the system compromised. Rotate all credentials and authentication keys. OSS maintainers should be vigilant against social engineering โ€” verify all software updates through official channels only.


๐ŸŽฅ TrueConf Zero-Day Exploited in Attacks on Asian Governments

๐ŸŸ  HIGH โ€” Chinese Threat Actor Exploits Video Conferencing Platform

A China-linked threat actor has been exploiting a zero-day vulnerability in TrueConf video conferencing software to conduct reconnaissance, escalate privileges, and deploy additional payloads against Asian government targets.

SecurityWeek reports that a Chinese threat actor has been exploiting a previously unknown vulnerability in the TrueConf video conferencing platform to target government organizations across Asia. The attack chain involves:

This follows a growing trend of state-sponsored actors targeting collaboration and video conferencing platforms as entry points into government networks. Organizations using TrueConf should monitor for indicators of compromise and apply patches as soon as they become available.


๐ŸŽ Apple Expands DarkSword Exploit Protections to More Devices

Apple is rolling out additional protections against the DarkSword exploit kit to a wider range of devices. The DarkSword kit, which was leaked on GitHub in late March, has been used by both state-sponsored hackers and commercial spyware vendors to target iPhone users.

Key updates:

Users should update all Apple devices immediately. Those at high risk of targeted surveillance (journalists, activists, diplomats) should enable Lockdown Mode for maximum protection.


๐Ÿฅ European Commission Confirms 300GB+ Breach Linked to Trivy Supply Chain Attack

The European Commission has confirmed a data breach linked to the Trivy supply chain attack, with hackers stealing over 300GB of data from the Commission's AWS environment, including personal information.

This marks the second major breach of EU institutions in recent months, following the TeamPCP/CERT-EU incident that exposed data from 30 Union entities. The breach raises serious questions about supply chain security in critical government infrastructure and the cascading impact of compromised open-source security tools.


๐Ÿ“‹ Quick Hits


๐Ÿ›ก๏ธ Recommended Actions

  1. npm Supply Chain Security: Audit all dependencies for the 36 malicious Strapi packages. Use scoped packages (@strapi/) only. Implement npm audit in CI/CD pipelines. Consider using lockfiles and package provenance verification.
  2. Next.js Operators: Patch CVE-2025-55182 (React2Shell) immediately. Deploy WAF rules to block exploitation attempts. Rotate all environment secrets if you run unpatched Next.js instances.
  3. OSS Maintainers: Enable hardware-based 2FA on all package registry accounts. Verify all software updates through official channels only. Be extremely cautious of unsolicited meeting invitations from unknown companies โ€” especially those involving "error fix" installations.
  4. Video Conferencing: Organizations using TrueConf should apply the latest patches and monitor for IOCs. Consider network segmentation to limit lateral movement from collaboration tools.
  5. Apple Users: Update all devices immediately. Enable Lockdown Mode if you are at elevated risk of targeted surveillance.
  6. Cryptocurrency Operations: Audit all Strapi-based infrastructure. Rotate database credentials, API keys, and wallet keys. Monitor for unauthorized access patterns in Redis and PostgreSQL logs.

Stay Ahead of the Threat Curve

Get daily security intelligence delivered with zero noise.

Explore KENSAI โ†’

KENSAI Security Briefing โ€” April 5, 2026
Compiled from SafeDep, Cisco Talos, Google Threat Intelligence Group, BleepingComputer, The Hacker News, SecurityWeek, and Kaspersky intelligence feeds.