Critical Redis RCE and C2 Malware Found in 36 Malicious npm Strapi Packages
Key Takeaways A sophisticated supply chain attack targeted developers using Strapi, the open-source content management system. Thirty-six malicious npm packages, disguised as Strapi plugins,...
Key Takeaways
- A sophisticated supply chain attack targeted developers using Strapi, the open-source content management system.
- Thirty-six malicious npm packages, disguised as Strapi plugins, delivered Redis Remote Code Execution (RCE) and persistent command-and-control (C2) malware.
- The attack specifically aimed at a cryptocurrency payment platform, indicating a highly targeted financial theft operation.
- The malware harvested credentials, exploited databases, and established backdoors, with later variants employing fileless execution techniques.
Widespread Supply Chain Attack Targets Strapi Developers with Redis RCE and C2 Malware
A significant supply chain attack has been uncovered, meticulously engineered to compromise developers leveraging Strapi, the widely adopted open-source content management system. This campaign involved the publication of 36 malicious npm packages, all masquerading as legitimate Strapi plugins, with the intent to deploy sophisticated malware. The payloads were designed to achieve remote code execution via Redis, exfiltrate sensitive credentials, and establish persistent command-and-control capabilities on compromised servers.
Table Of Content
Investigators highlight the highly targeted nature of this operation, which specifically focused on a cryptocurrency payment platform. This precision targeting distinguishes it as one of the more focused software supply chain attacks observed recently. Detailed analysis of the campaign’s mechanics and impact can be found in a comprehensive report.
Malicious Infrastructure and Deceptive Tactics
The malicious packages were distributed through four fake npm accounts: umarbek1233, kekylf12, tikeqemif26, and umar_bektembiev1. These accounts are believed to be under the control of a single threat actor. Each fraudulent package maintained an identical three-file structure and utilized the version number 3.6.8 to imitate authentic Strapi community plugins, thereby enhancing their credibility.
Crucially, the malicious code executed automatically upon the npm install command, triggered by a postinstall script, requiring no further interaction from the unsuspecting developer. Package names such as strapi-plugin-cron, strapi-plugin-events, and strapi-plugin-seed were carefully chosen to closely mimic genuine Strapi community tools, making them appear trustworthy.
Discovery and Evolving Payloads
SafeDep analysts identified and documented this campaign on April 3, 2026. Their dynamic analysis pipeline flagged strapi-plugin-events for suspicious behavior, specifically its execution of a filesystem-wide secret search and making twenty-four outbound connections to the attacker’s C2 server located at 144[.]31[.]107[.]231.
Researchers noted the presence of eight distinct payload variants within the campaign, which evolved over a thirteen-hour period. This rapid iteration strongly suggests that the attacker was actively developing and testing their tools against a live target. The payloads demonstrated a progression in sophistication, starting with Redis remote code execution and Docker container escape in earlier versions, and advancing to credential harvesting and direct PostgreSQL database exploitation in later stages.
One notable variant, found in the strapi-plugin-seed package, connected to the victim’s PostgreSQL database using hardcoded credentials. It then specifically probed for databases named guardarian, guardarian_payments, exchange, and custody. References to “Guardarian,” a cryptocurrency gateway, appeared consistently across multiple payloads from the outset, confirming the operation’s explicit focus on financial theft.
All exfiltrated data, including environment files, private keys, Redis dumps, Docker secrets, and Kubernetes service account tokens, was transmitted in plaintext over HTTP, completely lacking encryption. A successful compromise would have granted the attacker direct access to critical assets such as hot wallet credentials, transaction tables, and the entirety of an active payment platform’s financial database, underscoring the severe potential impact.
Persistent Implant and Fileless Execution
The campaign’s most advanced stages were represented by the final two payload variants, both distributed under the strapi-plugin-api package name. The seventh variant, version 3.6.8, was designed to activate only if the host’s hostname precisely matched prod-strapi, indicating the attacker had prior knowledge of the victim’s production environment.
Upon activation, this variant deployed a hidden C2 agent named .node_gc.js into the /tmp/ directory, launched it as a detached background process, and established a crontab entry to ensure its hourly restart if terminated. This mechanism transformed a one-time package installation into a persistent backdoor.
The eighth variant, version 3.6.9, further escalated the attack by eliminating the need for any file to be written to disk. The entire C2 agent was passed as an inline string to a detached node -e process, effectively leaving no filesystem trace for traditional detection tools. This variant specifically targeted credential paths such as /opt/secrets/strapi-green.env and /var/www/nowguardarian-strapi/. A code comment within the script referencing a Jenkins CI pipeline further revealed the attacker’s deep, prior knowledge of the victim’s build infrastructure.
What You Should Do
- Audit npm Packages: Immediately review all installed npm packages on Strapi deployments for any matching the malicious names identified in the indicators of compromise. Remove any suspicious packages without delay.
- Rotate Credentials: Promptly rotate all credentials on potentially affected hosts, including database passwords, API keys, JWT secrets, and private keys. Ensure the hardcoded PostgreSQL password found in
strapi-plugin-seed(if active) is changed. - Cleanup Malicious Artifacts: Remove any instances of
/tmp/.node_gc.jsand/tmp/vps_shell.sh. Search for and eliminate any PHP webshells from upload directories. - Review Crontab Entries: Audit crontab entries for any references to
node_gcorcurlthat could indicate persistent malicious activity. - Terminate Malicious Processes: Identify and terminate any active processes connecting to the attacker’s C2 server at
144[.]31[.]107[.]231. - Revoke Kubernetes Tokens: Immediately revoke any exposed Kubernetes service account tokens.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.