36 Malicious Strapi npm Packages Deliver Redis RCE, Persistent C2 Malware

A coordinated supply chain attack has been uncovered involving 36 malicious npm packages masquerading as Strapi CMS plugins, delivering a range of payloads including Redis remote code execution (RCE), credential harvesting, and persistent command-and-control (C2) malware.

The campaign was carried out using four sock-puppet npm accounts: umarbek1233, kekylf12, tikeqemif26, and umar_bektembiev1.

Unlike typical npm spam campaigns that reuse identical payloads, this operation deployed eight distinct malware variants, indicating an active, evolving attack likely targeting a specific organization.

According to the report, The malicious packages were published in rapid succession, each introducing new capabilities. The earliest package, strapi-plugin-cron (02:02 UTC), exploited Redis misconfigurations to achieve RCE.

It injected cron jobs, deployed PHP webshells and Node.js reverse shells, attempted SSH key persistence, and even accessed raw disk data using low-level commands.

Soon after, strapi-plugin-config (02:47 UTC) expanded the attack by attempting to escape the Docker container.

It identified overlay filesystem paths, wrote payloads to host-accessible directories, and launched Python-based reverse shells while extracting sensitive data such as Elasticsearch and cryptocurrency wallet credentials.

Between 03:01 and 03:37 UTC, several packages including strapi-plugin-server, database, core, and hooks introduced direct reverse shell capabilities.

These payloads were selectively executed only on production systems, using hostname checks (e.g., “prod”), and connected back to attacker-controlled infrastructure over ports 4444 and 8888.

Malicious Strapi npm Packages

Later variants shifted focus toward large-scale data exfiltration. The strapi-plugin-monitor package deployed an eight-phase credential harvesting routine, targeting environment variables, PostgreSQL connection strings, Redis data, and wallet files. It maintained a short-lived C2 loop, polling every 2.5 minutes.

The more advanced strapi-plugin-events (03:46 UTC) executed an 11-phase attack, including full .env file exfiltration, filesystem-wide secret discovery, Redis dumps, and Kubernetes secret theft. It also performed network reconnaissance and established a longer C2 loop with five-minute intervals.

At 04:45 UTC, strapi-plugin-seed directly targeted PostgreSQL databases using hardcoded credentials.

It extracted sensitive tables related to wallets, transactions, and deposits, and specifically probed for databases linked to cryptocurrency services such as guardarian, exchange, and custody.

Later packages introduced persistence mechanisms. [email protected] deployed a hidden Node.js implant in /tmp, configured to run continuously via cron.

A subsequent version, 3.6.9, used fileless execution techniques to launch reverse shells and targeted sensitive directories like /opt/secrets/ and /var/www/, referencing a Jenkins CI pipeline in embedded comments.

Impact and Targeting

The attack chain demonstrates deep knowledge of cloud-native environments and backend infrastructure. Key capabilities include:

  • Redis exploitation using CONFIG SET to write cron jobs, webshells, and SSH keys.
  • Docker escape attempts via overlay filesystem abuse.
  • Reverse shells over bash and Python.
  • Raw disk access to extract credentials and private keys.
  • PostgreSQL database dumping and enumeration.
  • Exfiltration of .env files, configs, and secrets.
  • Kubernetes and Docker secret harvesting.
  • Persistent C2 communication and backdoor installation.

Evidence suggests the campaign specifically targeted a cryptocurrency payment platform, with repeated references to Guardarian-related infrastructure.

This incident highlights the growing sophistication of npm-based supply chain attacks, where adversaries continuously adapt payloads in real time to maximize access, persistence, and data exfiltration.

Indicators of Compromise (IoC)

package version author
strapi-plugin-cron 3.6.8 umarbek1233
strapi-plugin-config 3.6.8 umarbek1233
strapi-plugin-server 3.6.8 umarbek1233
strapi-plugin-database 3.6.8 umarbek1233
strapi-plugin-core 3.6.8 umarbek1233
strapi-plugin-hooks 3.6.8 umarbek1233
strapi-plugin-monitor 3.6.8 umarbek1233
strapi-plugin-events 3.6.8 umarbek1233
strapi-plugin-logger 3.6.8 umarbek1233
strapi-plugin-health 3.6.8 kekylf12
strapi-plugin-sync 3.6.8 kekylf12
strapi-plugin-seed 3.6.8 kekylf12
strapi-plugin-locale 3.6.8 kekylf12
strapi-plugin-form 3.6.8 kekylf12
strapi-plugin-notify 3.6.8 kekylf12
strapi-plugin-api 3.6.8 kekylf12
strapi-plugin-api 3.6.9 kekylf12
strapi-plugin-sitemap-gen 3.6.8 tikeqemif26
strapi-plugin-nordica-tools 3.6.10 tikeqemif26
strapi-plugin-nordica-sync 3.6.8 tikeqemif26
strapi-plugin-nordica-cms 3.6.8 tikeqemif26
strapi-plugin-nordica-api 3.6.8 tikeqemif26
strapi-plugin-nordica-recon 3.6.8 tikeqemif26
strapi-plugin-nordica-stage 3.6.8 tikeqemif26
strapi-plugin-nordica-vhost 3.6.8 tikeqemif26
strapi-plugin-nordica-deep 3.6.8 tikeqemif26
strapi-plugin-nordica-lite 3.6.11 tikeqemif26
strapi-plugin-nordica 3.6.10 umar_bektembiev1
strapi-plugin-finseven 3.6.8 umar_bektembiev1
strapi-plugin-hextest 3.6.8 umar_bektembiev1
strapi-plugin-cms-tools 3.6.8 umar_bektembiev1
strapi-plugin-content-sync 3.6.8 umar_bektembiev1
strapi-plugin-debug-tools 3.6.8 umar_bektembiev1
strapi-plugin-health-check 3.6.8 umar_bektembiev1
strapi-plugin-guardarian-ext 3.6.8 umar_bektembiev1
strapi-plugin-advanced-uuid 3.6.8 umar_bektembiev1
strapi-plugin-blurhash 3.6.8 umar_bektembiev1

Related Articles

Back to top button
ZpMrPc a