Malicious Package Affecting strapi-plugin-content-sync package, versions *

Q: How to fix?

Avoid using all malicious instances of the strapi-plugin-content-sync package.

Threat Intelligence

Attacked

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JS-STRAPIPLUGINCONTENTSYNC-15907586
published5 Apr 2026
disclosed2 Apr 2026
creditSafeDep Team

Report a new vulnerability Found a mistake?

Introduced: 2 Apr 2026

New Malicious CWE-506 (opens in a new tab)

How to fix?

Avoid using all malicious instances of the strapi-plugin-content-sync package.

Overview

strapi-plugin-content-sync is a malicious package. This package contains malicious code that conceals a command-and-control agent and credential harvester. A malicious actor published a coordinated campaign of thirty-six packages disguised as community Strapi CMS plugins. These packages aren't affiliated with the official Strapi project, which is scoped under @strapi/. Using unscoped names is a social engineering tactic, and the packages serve no legitimate purpose.

References

SafeDeep Research

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None