36 Malicious npm Strapi Packages Used to Deploy Redis RCE and Persistent C2 Malware
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A coordinated supply chain attack has been uncovered targeting developers who build applications on Strapi, a widely used open-source content management system. <\/p>\n
Thirty-six malicious npm packages disguised as legitimate Strapi plugins were published to the npm registry, carrying payloads designed to exploit Redis for remote code execution, steal credentials, and establish persistent command-and-control access on victim servers. <\/p>\n
The campaign was deliberately focused on a cryptocurrency payment platform, making it one of the more targeted software supply chain attacks seen in recent memory.<\/a><\/p>\n The packages were distributed across four fake npm accounts \u2014\u00a0 Each package followed an identical three-file structure and used version number\u00a0 The malicious code ran automatically upon\u00a0 Package names like\u00a0 SafeDep analysts identified and documented the campaign<\/a> on April 3, 2026, after their dynamic analysis pipeline flagged\u00a0 The researchers noted that the campaign carried eight distinct payload variants, each one evolving across a thirteen-hour window \u2014 a clear sign the attacker was actively developing and testing their tools against a live target.<\/a><\/p>\n The eight payload variants ranged from Redis remote code execution and Docker container escape in the earliest packages, to credential harvesting and direct PostgreSQL database exploitation in later ones.\u00a0<\/p>\n The sixth payload,\u00a0 References to a cryptocurrency gateway<\/a> called \u201cGuardarian\u201d appeared across multiple payloads from the start, confirming this was a targeted financial theft operation.<\/a><\/p>\n All stolen data \u2014 including environment files, private keys, Redis dumps, Docker secrets, and Kubernetes service account tokens \u2014 was sent in plaintext over HTTP with no encryption.\u00a0<\/p>\n The impact of a successful compromise would have been severe, handing the attacker direct access to hot wallet credentials, transaction tables, and the full financial database of an active payment platform.<\/a><\/p>\n The final two payload variants, both published under the\u00a0 The seventh variant, version\u00a0 Once triggered, it wrote a hidden C2 agent named\u00a0 This turned a one-time package installation into a lasting backdoor. <\/a>The eighth variant, version\u00a0 The entire C2 agent was passed as an inline string to a detached\u00a0 It targeted credential paths such as\u00a0 Organizations using Strapi should immediately audit installed npm packages<\/a> and remove any matching the malicious names in the indicators of compromise. <\/p>\n All credentials on affected hosts \u2014 database passwords, API keys, JWT secrets, and private keys \u2014 must be rotated without delay. The hardcoded PostgreSQL password found in\u00a0 Administrators should remove\u00a0 Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post 36 Malicious npm Strapi Packages Used to Deploy Redis RCE and Persistent C2 Malware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\numarbek1233<\/code>,\u00a0kekylf12<\/code>,\u00a0tikeqemif26<\/code>, and\u00a0umar_bektembiev1<\/code>\u00a0\u2014 all believed to be operated by a single threat actor. <\/p>\n3.6.8<\/code>\u00a0to appear as a legitimate Strapi community plugin. <\/p>\nnpm install<\/code>\u00a0through a\u00a0postinstall<\/code>\u00a0script, requiring no further interaction from the developer. <\/p>\nstrapi-plugin-cron<\/code>,\u00a0strapi-plugin-events<\/code>, and\u00a0strapi-plugin-seed<\/code>\u00a0closely mirrored the naming patterns of real Strapi community tools, making them easy to trust.<\/a><\/p>\nstrapi-plugin-events<\/code>\u00a0for performing a filesystem-wide secret search and recording twenty-four outbound connections to the attacker\u2019s C2 server at\u00a0144[.]31[.]107[.]231<\/code>. <\/p>\nstrapi-plugin-seed<\/code>, connected to the victim\u2019s PostgreSQL database using hardcoded credentials and probed for databases named\u00a0guardarian<\/code>,\u00a0guardarian_payments<\/code>,\u00a0exchange<\/code>, and\u00a0custody<\/code>. <\/p>\nPersistent Implant and Fileless Execution<\/strong><\/h2>\n
strapi-plugin-api<\/code>\u00a0package name, represented the campaign\u2019s most advanced stage. <\/p>\n3.6.8<\/code>, only activated if the host\u2019s hostname exactly matched\u00a0prod-strapi<\/code>\u00a0\u2014 confirming the attacker had already identified the victim\u2019s production environment. <\/p>\n.node_gc.js<\/code>\u00a0into the\u00a0\/tmp\/<\/code>\u00a0directory, launched it as a detached background process, and installed a crontab entry to restart it every minute if terminated.\u00a0<\/p>\n3.6.9<\/code>, went further by removing the need for any file on disk at all. <\/p>\nnode -e<\/code>\u00a0process, leaving no filesystem trace for detection tools<\/a> to find. <\/p>\n\/opt\/secrets\/strapi-green.env<\/code>\u00a0and\u00a0\/var\/www\/nowguardarian-strapi\/<\/code>, with a code comment inside the script referencing a Jenkins CI pipeline \u2014 revealing the attacker\u2019s deep, prior knowledge of the victim\u2019s build infrastructure.<\/a><\/p>\nstrapi-plugin-seed<\/code>\u00a0must be changed if active. <\/p>\n\/tmp\/.node_gc.js<\/code>,\u00a0\/tmp\/vps_shell.sh<\/code>, and any PHP webshells from the uploads directory, audit crontab entries for\u00a0node_gc<\/code>\u00a0or\u00a0curl<\/code>\u00a0references, and kill any processes connecting to\u00a0144[.]31[.]107[.]231<\/code>. Exposed Kubernetes service account tokens should be revoked immediately.<\/p>\n