“`html
A synchronized supply chain assault has been discovered, targeting developers who create applications on Strapi, a widely utilized open-source content management system.
Thirty-six harmful npm packages masquerading as authentic Strapi plugins were uploaded to the npm registry, containing payloads intended to exploit Redis for remote code execution, extract credentials, and establish an ongoing command-and-control connection on victim servers.
This initiative was specifically aimed at a cryptocurrency payment platform, marking it as one of the most targeted software supply chain assaults witnessed in recent history.
The packages were disseminated through four fraudulent npm accounts — umarbek1233, kekylf12, tikeqemif26, and umar_bektembiev1 — all believed to be managed by a single threat actor.
Each package adopted an identical three-file arrangement and utilized version number 3.6.8 to appear as a genuine Strapi community plugin.
The malicious code activated automatically upon npm install via a postinstall script, necessitating no additional interaction from the developer.
Package names such as strapi-plugin-cron, strapi-plugin-events, and strapi-plugin-seed closely imitated the naming conventions of authentic Strapi community tools, making them trustworthy.
SafeDep analysts detected and documented the initiative on April 3, 2026, after their dynamic analysis pipeline identified strapi-plugin-events for executing a filesystem-wide secret search and logging twenty-four outbound connections to the attacker’s C2 server at 144[.]31[.]107[.]231.
The researchers observed that the operation employed eight distinct payload variations, each evolving across a thirteen-hour timeframe — a clear indication that the attacker was actively developing and testing their tools against a live target.
The eight payload variations ranged from Redis remote code execution and Docker container escape in the initial packages to credential harvesting and direct PostgreSQL database exploitation in subsequent ones.
The sixth payload, strapi-plugin-seed, connected to the victim’s PostgreSQL database utilizing hardcoded credentials and searched for databases named guardarian, guardarian_payments, exchange, and custody.
All compromised data — including environment files, private keys, Redis dumps, Docker secrets, and Kubernetes service account tokens — was transmitted in plaintext over HTTP without any encryption.
The consequences of a successful breach would have been significant, granting the attacker direct access to hot wallet credentials, transaction tables, and the complete financial database of an active payment platform.
Enduring Implant and Fileless Execution
The last two payload types, both released under the strapi-plugin-api package title, signified the campaign’s most sophisticated phase.
The seventh type, version 3.6.8, only engaged if the host’s hostname precisely corresponded to prod-strapi — confirming that the assailant had already discerned the victim’s production setting.
Upon activation, it implanted a clandestine C2 agent called .node_gc.js within the /tmp/ folder, initiated it as a detached background task, and established a crontab entry to restart it every minute if it was halted.
This transformed a singular package installation into a persistent backdoor. The eighth type, version 3.6.9, advanced further by eliminating the requirement for any files on the disk entirely.
The complete C2 agent was supplied as an inline string to a detached node -e task, leaving no trace on the filesystem for detection systems to identify.
It focused on credential locations such as /opt/secrets/strapi-green.env and /var/www/nowguardarian-strapi/, with a code comment within the script alluding to a Jenkins CI pipeline — exposing the attacker’s extensive, prior understanding of the victim’s build infrastructure.
Entities employing Strapi should promptly examine installed npm packages and eliminate any matching the harmful identifiers in the compromise indicators.
All credentials on compromised hosts — database passwords, API keys, JWT secrets, and private keys — must be altered immediately. The hardcoded PostgreSQL password identified in strapi-plugin-seed should be modified if still in use.
Administrators ought to delete /tmp/.node_gc.js, /tmp/vps_shell.sh, and any PHP webshells present in the uploads directory, review crontab entries for node_gc or curl references, and terminate any processes connecting to 144[.]31[.]107[.]231. Exposed Kubernetes service account tokens should be immediately revoked.
“`