Full Report
Cybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plugins but come with different payloads to facilitate Redis and PostgreSQL exploitation, deploy reverse shells, harvest credentials, and drop a persistent implant. "Every package contains three files (package.json, index.js, postinstall.js), has no description, repository,
Analysis Summary
# Tool/Technique: Malicious Strapi-Disguised npm Packages
## Overview
A coordinated supply chain attack involving 36 malicious npm packages designed to impersonate Strapi CMS plugins. These packages utilize `postinstall` scripts to execute multi-stage payloads ranging from reconnaissance and credential harvesting to database exploitation (Redis/PostgreSQL) and the deployment of persistent implants/reverse shells.
## Technical Details
- **Type:** Malware / Supply Chain Attack
- **Platform:** Node.js (Linux-based environments, Docker, CI/CD pipelines)
- **Capabilities:** Database exploitation (Redis RCE, PostgreSQL querying), Docker escape, credential harvesting, reverse shell deployment, and persistence.
- **First Seen:** April 5, 2026
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1195.001 - Supply Chain Compromise: Compromise Software Dependencies]
- **[TA0002 - Execution]**
- [T1059.004 - Command and Scripting Interpreter: Unix Shell]
- [T1164 - Boot or Logon Autostart Execution] (via Crontab)
- **[TA0003 - Persistence]**
- [T1053.003 - Scheduled Task/Job: Cron]
- [T1505.003 - Server Software Component: Web Shell]
- **[TA0004 - Privilege Escalation]**
- [T1611 - Escape to Host] (Docker escape)
- **[TA0006 - Credential Access]**
- [T1552.001 - Unsecured Credentials: Credentials In Files]
- [T1555 - Credentials from Password Stores] (Crypto wallets/API keys)
- **[TA0007 - Discovery]**
- [T1046 - Network Service Discovery]
- [T1082 - System Information Discovery]
- **[TA0011 - Command and Control]**
- [T1095 - Non-Application Layer Protocol] (C2 over TCP port 4444)
## Functionality
### Core Capabilities
- **Automated Execution:** Leverages the `postinstall.js` hook in `package.json` to execute code automatically upon installation.
- **Database Exploitation:**
- **Redis:** Injects crontab entries into locally accessible Redis instances to achieve RCE.
- **PostgreSQL:** Uses hard-coded credentials to query Strapi tables and extract sensitive data.
- **Data Exfiltration:** Targets environment variables (`.env`), Strapi configurations, Docker/Kubernetes secrets, and cryptocurrency wallet seeds/transaction data.
### Advanced Features
- **Docker Escape:** Includes logic to write shell payloads from within a container to the underlying host system.
- **Targeted Persistence:** Deploys a specific implant for the hostname "prod-strapi," suggesting a highly targeted tail-end to the campaign.
- **Evasion via Impersonation:** Packages used version `3.6.8` and the "strapi-plugin-" prefix to mimic mature Strapi v3 community modules.
## Indicators of Compromise
- **File Names:** `package.json`, `index.js`, `postinstall.js` (within the malicious npm modules).
- **Network Indicators:**
- C2/Listener: Port 4444 (Python reverse shell).
- Targeted Hostname: `prod-strapi`.
- **Behavioral Indicators:**
- `npm` process spawning `curl` or `wget` to fetch external scripts.
- Unexpected modifications to crontab via Redis `CONFIG SET` or `SAVE` commands.
- Unauthorized access to `public/uploads` directory containing PHP or JS files.
- **Publisher Accounts:** `umarbek1233`, `kekylf12`, `tikeqemif26`, `umar_bektembiev1`.
## Associated Threat Actors
- Currently unattributed, though the use of specific naming conventions and targeting of Guardarian API/databases suggests an actor focused on fintech and CMS environments.
## Detection Methods
- **Behavioral detection:** Monitor for `npm install` processes that initiate outbound network connections or modify system cron files.
- **Audit:** Search for any npm package starting with `strapi-plugin-` that is NOT under the official `@strapi/` scope.
- **System Monitoring:** Monitor Redis logs for unexpected execution of the `INFO`, `DBSIZE`, or `KEYS` commands from web-facing applications.
## Mitigation Strategies
- **Namespace Verification:** Only install Strapi plugins from the official `@strapi/` scoped registry.
- **Dependency Pinning:** Use `package-lock.json` and audit new dependencies before inclusion.
- **Environment Hardening:**
- Run `npm install` with the `--ignore-scripts` flag in untrusted environments.
- Ensure Redis is not accessible via localhost without authentication.
- Apply the principle of least privilege to CI/CD service accounts to prevent root-level execution of post-install scripts.
## Related Tools/Techniques
- **Typosquatting/Masquerading:** Similar to common dependency confusion attacks.
- **Redis-to-RCE:** A known technique where Redis's ability to write files to disk is leveraged to overwrite authorized_keys or crontabs.