What does strapi-plugin-events do?

It exfils .env secrets, grabs infra creds like Redis/Docker, and opens a 5-min reverse shell for RCE—all on npm install.

Are all Strapi npm plugins safe?

No. Unscoped ones are suspect. Stick to official strapi/ scoped packages and verify publishers.

Audit deps with npm audit/Snyk, use lockfiles, scoped-only policy, and monitor for unscoped installs targeting your stack.

📦 Open Source

Ever wonder if that shiny new Strapi plugin is secretly phoning home with your database creds? One dev team's nightmare is now live on npm.

DevTools Feed Apr 04, 2026 3 min read

Malicious unscoped npm packages like strapi-plugin-events trigger zero-click attacks stealing creds and enabling RCE. 𝕏
Attackers exploit npm's lax publishing; always verify scopes and publishers for Strapi plugins. 𝕏
Audit now: rotate secrets, use security scanners, and predict more supply-chain hits ahead. 𝕏

Published by

Ship faster. Build smarter.

#Strapi security #data exfiltration #malicious npm packages #supply chain attack

Get the best Developer Tools stories of the week in your inbox — no noise, no spam.

Originally reported by dev.to