A coordinated supply chain campaign has been uncovered on the npm registry: 36 malicious packages masquerading as Strapi CMS plugins were published over a 13-hour window by four sock puppet accounts. The packages target Redis and PostgreSQL infrastructure, harvest credentials and secrets from production environments, and deploy persistent implants designed to maintain long-term C2 access.

What Happened

Security researchers identified 36 packages on npm following an identical naming convention — strapi-plugin-{keyword} — using terms like cron, database, server, configuration, core, hook, monitor, event, logger, health, sync, seed, locale, form, notification, API, and guardarian-ext. Each package contains exactly three files (package.json, index.js, postinstall.js), has no description, repository, or homepage metadata, and uses version 3.6.8 to appear as a mature Strapi v3 community plugin.

The packages were uploaded by four sock puppet accounts: umarbek1233, kekylf12, tikeqemif26, and umar_bektembiev1. The rapid 13-hour publication window and shared code structure indicate a single coordinated actor behind all four accounts.

Technical Details

The attack chain executes via postinstall.js — running automatically when a developer installs the package. Payloads evolved across the 36 packages but fall into several categories:

Redis exploitation: Packages connect to locally accessible Redis instances and execute INFO, DBSIZE, and KEYS commands to enumerate and extract database contents. Several variants attempt Docker escape techniques from within containerized Redis deployments.

PostgreSQL credential harvesting: Using hard-coded credentials, the implants connect to PostgreSQL databases and query Strapi-specific tables for secrets. Packages specifically target cryptocurrency-related data, including attempts to access Guardarian exchange databases.

Reconnaissance and secret theft: An expanded credential harvester collects environment variable dumps, Strapi configuration files, network topology information, Docker and Kubernetes secrets, cryptographic keys, and cryptocurrency wallet files.

Persistent C2 implant: The most advanced payload deploys a persistent implant that maintains remote access to hosts matching the hostname prod-strapi. Sandbox analysis recorded 24 outbound connections to 144.31.107.231:9999 — the hard-coded C2 server — spanning the full postinstall execution window.

Who’s Affected

Anyone running Strapi CMS who installed any of these 36 packages is potentially compromised. The targeting is specific: production Strapi deployments with Redis caching layers and PostgreSQL backends. The cryptocurrency-related data targeting (Guardarian tables) suggests financial motivation.

Organizations running Strapi v3 in production with automated npm install pipelines are at highest risk, as the postinstall hook fires without user interaction during dependency resolution.

Indicators of Compromise

  • C2 server: 144.31.107.231:9999
  • Publisher accounts: umarbek1233, kekylf12, tikeqemif26, umar_bektembiev1
  • Package version: All use 3.6.8 with no repository or homepage metadata
  • Execution: Malicious logic in postinstall.js triggers on install

Mitigation

If you installed any of these packages, assume full compromise. Specifically:

  1. Rotate all credentials — database passwords, API keys, cloud provider tokens, SSH keys, and any secrets stored in environment variables or Strapi configuration.
  2. Audit Redis and PostgreSQL access logs for unauthorized INFO, DBSIZE, KEYS commands (Redis) or unexpected queries against Strapi system tables (PostgreSQL).
  3. Check for persistence mechanisms on hosts matching prod-strapi hostname patterns. Inspect crontabs, systemd units, and any unexpected outbound connections to 144.31.107.231.
  4. Review npm audit logs and lock files for any strapi-plugin-* packages not published by the official Strapi organization.
  5. Block 144.31.107.231 at your network egress firewall immediately.

For ongoing protection, pin dependencies in package-lock.json, use --ignore-scripts during CI/CD installs where possible, and audit postinstall hooks before adding new Strapi community plugins.

Sources