A sophisticated software supply chain attack targeting developers using Strapi, an open-source content management system, has been uncovered. Threat actors published 36 malicious npm packages disguised as legitimate Strapi plugins, which were designed to exploit Redis for remote code execution, steal sensitive credentials, and establish persistent command-and-control (C2) channels on compromised systems. This campaign specifically focused on a cryptocurrency payment platform, distinguishing it as a highly targeted operation.
The malicious packages were distributed through four distinct fake npm accounts: umarbek1233, kekylf12, tikeqemif26, and umar_bektembiev1. Security researchers believe these accounts were operated by a single entity. Each compromised package featured an identical three-file structure and employed the version number 3.6.8 to mimic legitimate Strapi community extensions.
The attack mechanism was automated, with malicious code executing automatically upon the npm install command via a postinstall script, eliminating the need for any further user interaction beyond the initial installation. Names such as strapi-plugin-cron, strapi-plugin-events, and strapi-plugin-seed were carefully chosen to closely resemble the naming conventions of genuine Strapi community tools, enhancing their believability to unsuspecting developers.
Persistent Implant and Fileless Execution in Strapi Attack
SafeDep analysts detected and documented this campaign on April 3, 2026. Their investigation revealed that the package strapi-plugin-events was performing a broad search for secrets across the filesystem and establishing at least twenty-four outbound connections to the attacker’s C2 server, located at 144[.]31[.]107[.]231. The researchers further noted the presence of eight distinct payload variants, with significant evolution observed over a thirteen-hour period, indicating active development and testing by the threat actor against a live target.
The identified payload variants ranged from early implementations focusing on Redis remote code execution and Docker container escape to later versions concentrating on credential harvesting and direct exploitation of PostgreSQL databases. Notably, the sixth payload, strapi-plugin-seed, utilized hardcoded credentials to connect to a victim’s PostgreSQL database. It specifically probed for databases named guardarian, guardarian_payments, exchange, and custody. These references, along with others appearing in earlier payloads, strongly suggested a targeted financial theft operation centered around a cryptocurrency gateway named “Guardarian.”
All exfiltrated data, encompassing environment files, private keys, Redis dumps, Docker secrets, and Kubernetes service account tokens, was transmitted in plaintext via unencrypted HTTP. A successful compromise of this nature would have granted the attacker direct access to critical financial data, including hot wallet credentials, transaction records, and the complete financial database of the targeted payment platform.
The final two payload variants, both delivered under the strapi-plugin-api package name, represented the most advanced stage of the attack. The seventh variant, version 3.6.8, was designed to activate only if the host’s hostname precisely matched prod-strapi, suggesting the attacker had already identified the victim’s production environment. Upon activation, it deployed a hidden C2 agent, named .node_gc.js, to the /tmp/ directory. This agent was launched as a detached background process, and a crontab entry was installed to ensure its automatic restart every minute if terminated, effectively establishing a persistent backdoor.
The eighth variant, version 3.6.9, escalated the stealth capabilities by eliminating the need for any file to be present on disk. The entire C2 agent was passed as an inline string to a detached node -e process, leaving no filesystem trace that could be detected by standard security tools. This variant targeted credential paths such as /opt/secrets/strapi-green.env and /var/www/nowguardarian-strapi/. A code comment within the script referenced a Jenkins CI pipeline, further hinting at the attacker’s in-depth prior knowledge of the victim’s build infrastructure.
Organizations utilizing Strapi are strongly advised to immediately conduct a thorough audit of their installed npm packages. Any packages matching the malicious names identified in the indicators of compromise should be removed without delay. Furthermore, all credentials associated with affected hosts, including database passwords, API keys, JWT secrets, and private keys, must undergo immediate rotation. The hardcoded PostgreSQL password discovered in strapi-plugin-seed warrants special attention and should be changed if it is currently active.
System administrators should also prioritize the removal of any suspicious files from affected systems, such as /tmp/.node_gc.js and /tmp/vps_shell.sh, along with any PHP webshells located in upload directories. A comprehensive review of crontab entries for any references to node_gc or curl is also recommended. Any active processes connecting to 144[.]31[.]107[.]231 should be terminated. Additionally, any exposed Kubernetes service account tokens should be revoked immediately to mitigate further risk.
The ongoing evolution of supply chain attacks underscores the critical need for robust dependency management and continuous security monitoring within development pipelines. The rapid development and deployment of varied payloads in this Strapi incident highlight the dynamic nature of advanced persistent threats.