Malicious npm Strapi Packages Deploy Redis RCE Used Persistent

A coordinated supply chain attack has emerged, specifically targeting developers utilizing Strapi, the popular open-source content management system, for application development.

Thirty-six malicious npm packages disguised as legitimate Strapi plugins were published to the npm registry, carrying payloads designed to exploit Redis for remote code execution, steal credentials, and establish persistent command-and-control access on victim servers.

The campaign was deliberately focused on a cryptocurrency payment platform, making it one of the more targeted software supply chain attacks seen in recent memory.

The packages were distributed across four fake npm accounts — umarbek1233, kekylf12, tikeqemif26, and umar_bektembiev1 — all believed to be operated by a single threat actor.

Each package followed an identical three-file structure and used version number 3.6.8 to appear as a legitimate Strapi community plugin.

The malicious code ran automatically upon npm install through a postinstall script, requiring no further interaction from the developer.

Package names like strapi-plugin-cron, strapi-plugin-events, and strapi-plugin-seed closely mirrored the naming patterns of real Strapi community tools, making them easy to trust.

SafeDep analysts identified and documented the campaign on April 3, 2026, after their dynamic analysis pipeline flagged strapi-plugin-events for performing a filesystem-wide secret search and recording twenty-four outbound connections to the attacker’s C2 server at 144[.]31[.]107[.]231.

The researchers noted that the campaign carried eight distinct payload variants, each one evolving across a thirteen-hour window — a clear sign the attacker was actively developing and testing their tools against a live target.

The eight payload variants ranged from Redis remote code execution and Docker container escape in the earliest packages, to credential harvesting and direct PostgreSQL database exploitation in later ones. 

The sixth payload, strapi-plugin-seed, connected to the victim’s PostgreSQL database using hardcoded credentials and probed for databases named guardarian, guardarian_payments, exchange, and custody.

References to a cryptocurrency gateway called “Guardarian” appeared across multiple payloads from the start, confirming this was a targeted financial theft operation.

All stolen data — including environment files, private keys, Redis dumps, Docker secrets, and Kubernetes service account tokens — was sent in plaintext over HTTP with no encryption. 

The impact of a successful compromise would have been severe, handing the attacker direct access to hot wallet credentials, transaction tables, and the full financial database of an active payment platform.

Persistent Implant and Fileless Execution

The final two payload variants, both published under the strapi-plugin-api package name, represented the campaign’s most advanced stage.

The seventh variant, version 3.6.8, only activated if the host’s hostname exactly matched prod-strapi — confirming the attacker had already identified the victim’s production environment.

Once triggered, it wrote a hidden C2 agent named .node_gc.js into the /tmp/ directory, launched it as a detached background process, and installed a crontab entry to restart it every minute if terminated. 

This turned a one-time package installation into a lasting backdoor. The eighth variant, version 3.6.9, went further by removing the need for any file on disk at all.

The entire C2 agent was passed as an inline string to a detached node -e process, leaving no filesystem trace for detection tools to find.

It targeted credential paths such as /opt/secrets/strapi-green.env and /var/www/nowguardarian-strapi/, with a code comment inside the script referencing a Jenkins CI pipeline — revealing the attacker’s deep, prior knowledge of the victim’s build infrastructure.

Organizations using Strapi should immediately audit installed npm packages and remove any matching the malicious names in the indicators of compromise.

All credentials on affected hosts — database passwords, API keys, JWT secrets, and private keys — must be rotated without delay. The hardcoded PostgreSQL password found in strapi-plugin-seed must be changed if active.

Administrators should remove /tmp/.node_gc.js, /tmp/vps_shell.sh, and any PHP webshells from the uploads directory, audit crontab entries for node_gc or curl references, and kill any processes connecting to 144[.]31[.]107[.]231. Exposed Kubernetes service account tokens should be revoked immediately.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.