Key Findings

• 36 malicious npm packages masquerading as Strapi CMS plugins uploaded by four sock puppet accounts over 13 hours

• Eight distinct payload variants reveal real-time attack development against a specific target

• Exploitation chain includes Redis RCE, PostgreSQL database theft, Docker container escape, and persistent C2 implants

• Packages target cryptocurrency platform infrastructure with hardcoded database credentials and wallet-specific data harvesting

• Postinstall scripts execute with user privileges, enabling root access abuse in CI/CD and container environments

• Attack evolved from aggressive exploitation attempts to reconnaissance, credential harvesting, and persistent backdoor installation

Background

In early April 2026, cybersecurity researchers at SafeDep discovered a coordinated supply chain attack targeting the npm ecosystem. Four malicious actors created sock puppet accounts and systematically uploaded 36 fake Strapi CMS plugin packages designed to trick developers into installing them. All packages followed the same deceptive pattern: they were named with the "strapi-plugin-" prefix followed by innocent-sounding terms like "cron," "database," "server," and "monitor" to mimic legitimate plugins. This naming mimicry is particularly dangerous because legitimate Strapi plugins are scoped under "@strapi/," making these unscoped packages appear as community alternatives. The packages contained minimal metadata, no descriptions or repositories, and used version 3.6.8 to appear as mature, established plugins rather than new releases.

Payload Evolution and Attack Progression

Analysis of the eight distinct payload variants shows a clear tactical evolution. The attacker began with aggressive exploitation techniques but adapted their approach after encountering resistance, ultimately settling on persistence and targeted credential theft. This progression reveals troubleshooting happening in real time.

The first variant targeted Redis for remote code execution by injecting crontab entries to download and execute shell scripts every minute. This evolved into attempts at Docker container escape by discovering overlay filesystem paths and writing payloads directly to the host system. When these approaches apparently failed, subsequent variants pivoted to comprehensive reconnaissance, scanning systems for environment variables, PostgreSQL connection strings, secrets, and cryptocurrency wallet files.

Later variants deployed direct PostgreSQL exploitation using hardcoded credentials. The attackers then shifted to a full credential harvester that conducted systematic reconnaissance including environment dumps, Strapi configurations, network topology mapping, and extraction of Docker and Kubernetes secrets. The final variants deployed persistent implants designed specifically to maintain remote access to a hostname labeled "prod-strapi," suggesting the attack was highly targeted rather than indiscriminate.

Technical Exploitation Methods

All malicious packages embedded their payloads in postinstall script hooks, which execute automatically during "npm install" without user interaction and run with the installing user's privileges. This gives attackers immediate access to root credentials in containerized environments and CI/CD pipelines.

The Redis exploitation leveraged the CONFIG SET command to write crontab entries and shell payloads directly to target systems. Attackers injected both PHP webshells and Node.js reverse shells into Strapi's public uploads directory via SSH. They also attempted to read raw disk data using `mknod` and `dd` commands to extract passwords, wallet mnemonics, and SSH private keys.

Docker escape attempts involved discovering the overlay filesystem's upperdir paths, allowing attackers to write payloads to directories accessible from the host system. The packages launched reverse shells on ports 4444 and 8888, establishing command and control channels for arbitrary code execution.

PostgreSQL exploitation involved connecting with hardcoded credentials (user_strapi / 1QKtYPp18UsyU2ZwInVM) and dumping sensitive Strapi tables. Notably, attackers explicitly probed for databases named guardarian, guardarian_payments, payments, exchange, and custody, indicating prior knowledge of the target's infrastructure.

Credential and Data Harvesting

The most comprehensive payload variants conducted systematic secret discovery across multiple vectors. They exfiltrated .env files and full environment variable dumps, extracted Strapi configuration files, and searched the filesystem for cryptocurrency wallet files and private keys. Redis data was dumped using INFO, DBSIZE, and KEYS commands to enumerate all cached data.

The credential harvesting expanded in later variants to include Docker and Kubernetes secrets, service account tokens, and private cryptographic keys. One variant specifically targeted hardcoded paths like "/var/www/nowguardarian-strapi/" and "/opt/secrets/strapi-green.env," and even referenced a Jenkins CI pipeline in code comments, suggesting the attackers had detailed knowledge of the target environment.

Persistent Access and C2 Infrastructure

Later-stage payloads established polling C2 sessions for persistent remote access. Some variants opened 2.5-minute polling loops while more sophisticated versions used 5-minute intervals for command execution. The final implant was specifically gated to execute only on the hostname "prod-strapi," demonstrating precision targeting.

Persistence mechanisms included crontab entries for restart survival, detached process spawning, and fileless execution using direct node commands. One variant wrote a persistent C2 agent to "/tmp/.node_gc.js" and installed crontab entries to ensure its execution across system reboots.

Attribution and Target Profile

The coordinated nature of the campaign, combined with hardcoded database credentials and exclusive focus on wallet-related database tables, strongly suggests this was a targeted attack against a specific cryptocurrency payment platform rather than a broad supply chain attack. The attackers demonstrated intimate knowledge of the target's infrastructure, including specific hostnames, directory structures, database names, and even CI/CD tooling.

The hardcoded credentials and direct database connection attempts indicate the attackers either had prior access to this infrastructure or obtained credentials through another compromise vector. The explicit probing for Guardarian-related databases suggests the target may be connected to or operating as part of the Guardarian ecosystem.

Immediate Response Requirements

Users who installed any of the 36 identified packages should assume complete system compromise and immediately rotate all credentials, especially database passwords and API tokens. Organizations running affected systems in production environments should conduct forensic investigations to determine the scope of data exfiltration, particularly focusing on cryptocurrency wallet information, private keys, and payment transaction data. All systems where these packages were installed should be isolated, scanned for persistent backdoors and crontab entries, and rebuilt from clean sources after credential rotation is complete.

Sources

• https://thehackernews.com/2026/04/36-malicious-npm-packages-exploited.html

• https://safedep.io/malicious-npm-strapi-plugin-events-c2-agent