{"campaign":{"name":"Strapi Plugin C2 Campaign","slug":"strapi-plugin-c2-campaign","href":"/ti/campaigns/strapi-plugin-c2-campaign","description":"36 npm packages impersonating Strapi plugins that deploy Redis RCE, steal databases and maintain persistent command and control.","objective":"Establish persistent C2 and exfiltrate databases from Strapi deployments.","aliases":[],"discovered_at":"2026-04-03"},"packages":[{"ecosystem":"npm","name":"strapi-plugin-cron","href":"/ti/packages/npm/strapi-plugin-cron","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-config","href":"/ti/packages/npm/strapi-plugin-config","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-server","href":"/ti/packages/npm/strapi-plugin-server","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-database","href":"/ti/packages/npm/strapi-plugin-database","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-core","href":"/ti/packages/npm/strapi-plugin-core","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-hooks","href":"/ti/packages/npm/strapi-plugin-hooks","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-monitor","href":"/ti/packages/npm/strapi-plugin-monitor","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-events","href":"/ti/packages/npm/strapi-plugin-events","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-logger","href":"/ti/packages/npm/strapi-plugin-logger","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-health","href":"/ti/packages/npm/strapi-plugin-health","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-sync","href":"/ti/packages/npm/strapi-plugin-sync","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-seed","href":"/ti/packages/npm/strapi-plugin-seed","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-locale","href":"/ti/packages/npm/strapi-plugin-locale","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-form","href":"/ti/packages/npm/strapi-plugin-form","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-notify","href":"/ti/packages/npm/strapi-plugin-notify","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-api","href":"/ti/packages/npm/strapi-plugin-api","threat_types":["c2_agent"],"versions":["3.6.8","3.6.9"]},{"ecosystem":"npm","name":"strapi-plugin-sitemap-gen","href":"/ti/packages/npm/strapi-plugin-sitemap-gen","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-nordica-tools","href":"/ti/packages/npm/strapi-plugin-nordica-tools","threat_types":["c2_agent"],"versions":["3.6.10"]},{"ecosystem":"npm","name":"strapi-plugin-nordica-sync","href":"/ti/packages/npm/strapi-plugin-nordica-sync","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-nordica-cms","href":"/ti/packages/npm/strapi-plugin-nordica-cms","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-nordica-api","href":"/ti/packages/npm/strapi-plugin-nordica-api","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-nordica-recon","href":"/ti/packages/npm/strapi-plugin-nordica-recon","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-nordica-stage","href":"/ti/packages/npm/strapi-plugin-nordica-stage","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-nordica-vhost","href":"/ti/packages/npm/strapi-plugin-nordica-vhost","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-nordica-deep","href":"/ti/packages/npm/strapi-plugin-nordica-deep","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-nordica-lite","href":"/ti/packages/npm/strapi-plugin-nordica-lite","threat_types":["c2_agent"],"versions":["3.6.11"]},{"ecosystem":"npm","name":"strapi-plugin-nordica","href":"/ti/packages/npm/strapi-plugin-nordica","threat_types":["c2_agent"],"versions":["3.6.10"]},{"ecosystem":"npm","name":"strapi-plugin-finseven","href":"/ti/packages/npm/strapi-plugin-finseven","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-hextest","href":"/ti/packages/npm/strapi-plugin-hextest","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-cms-tools","href":"/ti/packages/npm/strapi-plugin-cms-tools","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-content-sync","href":"/ti/packages/npm/strapi-plugin-content-sync","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-debug-tools","href":"/ti/packages/npm/strapi-plugin-debug-tools","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-health-check","href":"/ti/packages/npm/strapi-plugin-health-check","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-guardarian-ext","href":"/ti/packages/npm/strapi-plugin-guardarian-ext","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-advanced-uuid","href":"/ti/packages/npm/strapi-plugin-advanced-uuid","threat_types":["c2_agent"],"versions":["3.6.8"]},{"ecosystem":"npm","name":"strapi-plugin-blurhash","href":"/ti/packages/npm/strapi-plugin-blurhash","threat_types":["c2_agent"],"versions":["3.6.8"]}],"indicators":[{"kind":"ipv4","value":"144.31.107.231","href":"/ti/ioc/ipv4/144.31.107.231","context":"IP address indicator from blog post"},{"kind":"email","value":"w1gtd@sharebot.net","href":"/ti/ioc/email/w1gtd@sharebot.net","context":"Email indicator from blog post"}],"ttps":[{"name":"Supply Chain Compromise: Compromise Software Dependencies and Development Tools","mitre_attack_id":"T1195.001","href":"/ti/ttps/T1195.001"},{"name":"Command and Scripting Interpreter: JavaScript","mitre_attack_id":"T1059.007","href":"/ti/ttps/T1059.007"},{"name":"Masquerading: package impersonation and typosquatting","mitre_attack_id":"T1036","href":"/ti/ttps/T1036"},{"name":"Ingress Tool Transfer","mitre_attack_id":"T1105","href":"/ti/ttps/T1105"},{"name":"Application Layer Protocol: Web Protocols","mitre_attack_id":"T1071.001","href":"/ti/ttps/T1071.001"},{"name":"Event Triggered Execution","mitre_attack_id":"T1546","href":"/ti/ttps/T1546"}],"related_campaigns":[],"reports":[{"title":"Thirty-Six Malicious npm Strapi Packages Deploy Redis RCE, Database Theft, and Persistent C2","url":"https://safedep.io/malicious-npm-strapi-plugin-events-c2-agent","published_at":"2026-04-03"}]}