The package named strapi-plugin-events was published with three files and designed to resemble legitimate community Strapi plugins such as strapi-plugin-comments and strapi-plugin-upload. It triggers automatically on npm install according to the primary report (https://safedep.io/malicious-npm-strapi-plugin-events-c2-agent/).

The attack collects all .env files along with JWT secrets and database credentials. It further extracts Redis keys, Docker and Kubernetes secrets, and private keys.

A 5-minute live C2 session is established allowing arbitrary shell command execution with no user interaction required as detailed in the safedep.io analysis.