Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/Threats/Critical Redis RCE and C2 Malware Found in 36 Malicious npm Strapi Packages
Threats

Critical Redis RCE and C2 Malware Found in 36 Malicious npm Strapi Packages

Key Takeaways A sophisticated supply chain attack targeted developers using Strapi, the open-source content management system. Thirty-six malicious npm packages, disguised as Strapi plugins,...

Sarah simpson
Sarah simpson
April 6, 2026 4 Min Read
32 0

Key Takeaways

  • A sophisticated supply chain attack targeted developers using Strapi, the open-source content management system.
  • Thirty-six malicious npm packages, disguised as Strapi plugins, delivered Redis Remote Code Execution (RCE) and persistent command-and-control (C2) malware.
  • The attack specifically aimed at a cryptocurrency payment platform, indicating a highly targeted financial theft operation.
  • The malware harvested credentials, exploited databases, and established backdoors, with later variants employing fileless execution techniques.

Widespread Supply Chain Attack Targets Strapi Developers with Redis RCE and C2 Malware

A significant supply chain attack has been uncovered, meticulously engineered to compromise developers leveraging Strapi, the widely adopted open-source content management system. This campaign involved the publication of 36 malicious npm packages, all masquerading as legitimate Strapi plugins, with the intent to deploy sophisticated malware. The payloads were designed to achieve remote code execution via Redis, exfiltrate sensitive credentials, and establish persistent command-and-control capabilities on compromised servers.

Table Of Content

  • Key Takeaways
  • Widespread Supply Chain Attack Targets Strapi Developers with Redis RCE and C2 Malware
  • Malicious Infrastructure and Deceptive Tactics
  • Discovery and Evolving Payloads
  • Persistent Implant and Fileless Execution
  • What You Should Do

Investigators highlight the highly targeted nature of this operation, which specifically focused on a cryptocurrency payment platform. This precision targeting distinguishes it as one of the more focused software supply chain attacks observed recently. Detailed analysis of the campaign’s mechanics and impact can be found in a comprehensive report.

Malicious Infrastructure and Deceptive Tactics

The malicious packages were distributed through four fake npm accounts: umarbek1233, kekylf12, tikeqemif26, and umar_bektembiev1. These accounts are believed to be under the control of a single threat actor. Each fraudulent package maintained an identical three-file structure and utilized the version number 3.6.8 to imitate authentic Strapi community plugins, thereby enhancing their credibility.

Crucially, the malicious code executed automatically upon the npm install command, triggered by a postinstall script, requiring no further interaction from the unsuspecting developer. Package names such as strapi-plugin-cron, strapi-plugin-events, and strapi-plugin-seed were carefully chosen to closely mimic genuine Strapi community tools, making them appear trustworthy.

Discovery and Evolving Payloads

SafeDep analysts identified and documented this campaign on April 3, 2026. Their dynamic analysis pipeline flagged strapi-plugin-events for suspicious behavior, specifically its execution of a filesystem-wide secret search and making twenty-four outbound connections to the attacker’s C2 server located at 144[.]31[.]107[.]231.

Researchers noted the presence of eight distinct payload variants within the campaign, which evolved over a thirteen-hour period. This rapid iteration strongly suggests that the attacker was actively developing and testing their tools against a live target. The payloads demonstrated a progression in sophistication, starting with Redis remote code execution and Docker container escape in earlier versions, and advancing to credential harvesting and direct PostgreSQL database exploitation in later stages.

One notable variant, found in the strapi-plugin-seed package, connected to the victim’s PostgreSQL database using hardcoded credentials. It then specifically probed for databases named guardarian, guardarian_payments, exchange, and custody. References to “Guardarian,” a cryptocurrency gateway, appeared consistently across multiple payloads from the outset, confirming the operation’s explicit focus on financial theft.

All exfiltrated data, including environment files, private keys, Redis dumps, Docker secrets, and Kubernetes service account tokens, was transmitted in plaintext over HTTP, completely lacking encryption. A successful compromise would have granted the attacker direct access to critical assets such as hot wallet credentials, transaction tables, and the entirety of an active payment platform’s financial database, underscoring the severe potential impact.

Persistent Implant and Fileless Execution

The campaign’s most advanced stages were represented by the final two payload variants, both distributed under the strapi-plugin-api package name. The seventh variant, version 3.6.8, was designed to activate only if the host’s hostname precisely matched prod-strapi, indicating the attacker had prior knowledge of the victim’s production environment.

Upon activation, this variant deployed a hidden C2 agent named .node_gc.js into the /tmp/ directory, launched it as a detached background process, and established a crontab entry to ensure its hourly restart if terminated. This mechanism transformed a one-time package installation into a persistent backdoor.

The eighth variant, version 3.6.9, further escalated the attack by eliminating the need for any file to be written to disk. The entire C2 agent was passed as an inline string to a detached node -e process, effectively leaving no filesystem trace for traditional detection tools. This variant specifically targeted credential paths such as /opt/secrets/strapi-green.env and /var/www/nowguardarian-strapi/. A code comment within the script referencing a Jenkins CI pipeline further revealed the attacker’s deep, prior knowledge of the victim’s build infrastructure.

What You Should Do

  • Audit npm Packages: Immediately review all installed npm packages on Strapi deployments for any matching the malicious names identified in the indicators of compromise. Remove any suspicious packages without delay.
  • Rotate Credentials: Promptly rotate all credentials on potentially affected hosts, including database passwords, API keys, JWT secrets, and private keys. Ensure the hardcoded PostgreSQL password found in strapi-plugin-seed (if active) is changed.
  • Cleanup Malicious Artifacts: Remove any instances of /tmp/.node_gc.js and /tmp/vps_shell.sh. Search for and eliminate any PHP webshells from upload directories.
  • Review Crontab Entries: Audit crontab entries for any references to node_gc or curl that could indicate persistent malicious activity.
  • Terminate Malicious Processes: Identify and terminate any active processes connecting to the attacker’s C2 server at 144[.]31[.]107[.]231.
  • Revoke Kubernetes Tokens: Immediately revoke any exposed Kubernetes service account tokens.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Critical FortiClient EMS RCE Vulnerability Actively Exploited in the Wild

Next Post

METATRON: Open-Source AI Pen-Testing Assistant for Linux LLM Analysis

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us