36 Malicious npm Packages Deploy Persistent RATs via Redis and PostgreSQL

Context

In April 2026, security researchers identified 36 malicious npm packages published on the public registry. These packages impersonated legitimate Redis, PostgreSQL, and common development utilities. Once installed, their postinstall scripts silently triggered the deployment of a cross-platform RAT targeting Windows, Linux, and macOS.

Attack Mechanism

The attack unfolds in several stages:

1. Silent installation — the postinstall script runs automatically during npm install, requiring no user interaction
2. Payload download — a RAT binary is fetched from a remote server based on the detected platform (Windows/Linux/macOS)
3. Redis exploitation — the RAT uses a local or network-accessible Redis instance to store its persistence configuration and command data
4. PostgreSQL exploitation — stored procedures or exposed PostgreSQL connections serve as a secondary channel for data exfiltration or command reception
5. Persistence — the RAT registers as a system service (Windows) or via crontab/systemd (Linux/macOS)

Affected Packages

The malicious packages used names mimicking legitimate libraries:

• Fake Redis utilities (redis-helper, redis-utils-client, and variations)
• Fake PostgreSQL connectors (pg-connect-utils, postgres-driver-helper, and variations)
• Fake general-purpose dev tools typosquatting popular packages

Most packages had fewer than 500 downloads, suggesting precise targeting rather than mass distribution.

Impact

A compromised environment gives the attacker the ability to:

• Execute arbitrary commands on the developer machine or CI/CD server
• Exfiltrate secrets — environment variables, SSH keys, cloud tokens, database credentials
• Pivot on the internal network through existing Redis/PostgreSQL connections
• Maintain persistent access across machine reboots

Detection

Check whether your environment is affected:

# List all installed packages with postinstall scripts
npm ls --json | jq '.. | .scripts?.postinstall? | select(.)'

# Look for suspicious outbound connections after npm install
# (Linux/macOS)
ss -tnp | grep node

# Check for suspicious crontab entries
crontab -l
cat /etc/cron.d/*

# Audit installed packages
npm audit

Signs of infection:

• Active node processes running without an obvious reason after installation
• New crontab entries or system services created after npm install
• Outbound connections to unknown IPs from Node.js-related processes
• Unusual Redis or PostgreSQL queries in logs

Remediation

1. Remove suspicious packages identified in your node_modules
2. Rotate all secrets accessible on the affected machine immediately
3. Isolate the machine from the network if an active infection is suspected
4. Reinstall from a clean environment — do not reuse a potentially compromised node_modules
5. Audit your Redis and PostgreSQL instances for unexpected keys or procedures:

   # Redis: list all keys
   redis-cli KEYS "*"
   
   # PostgreSQL: list recent stored procedures
   SELECT proname, prosrc FROM pg_proc WHERE prolang != 12 ORDER BY oid DESC LIMIT 20;
   

6. Enable Redis authentication if not already done — unauthenticated Redis exposed locally is a common attack vector

Recommendations

• Inspect postinstall scripts before installing an unknown package: npm pack <package>, then review the contents
• Use --ignore-scripts in production environments where postinstall scripts are unnecessary: npm install --ignore-scripts
• Enable authentication and local binding on Redis — never expose Redis on 0.0.0.0 without authentication
• Restrict PostgreSQL privileges — application connections should never have SUPERUSER rights
• Integrate a supply chain scanner (Socket.dev, Snyk, Dependabot) into your CI/CD pipeline to detect suspicious behavior in install scripts