On the night of April 3, 2026 when the most companies around the world had closed their offices a silent and dangerous operation began. Someone or perhaps a team and began publishing packages to the npm registry that looked like genuine Strapi CMS plugins.
Strapi is a very popular open-source content management system on which thousands of developers around the world build their applications. These packages were so cleverly crafted that at first glance any developer would mistake them for genuine. They were named strapi-plugin-cron, strapi-plugin-events, and strapi-plugin-database and exactly the same as a real and trusted Strapi community plugin. But deep inside these packages carried a complete cyberweapon collection.
How The Attackers Hide Their Identities In This Supply Chain Attack
This attack was not carried out using just one fake account. Investigators discovered that four different sock-puppet npm accounts, or fake identities, were used umarbek1233, kekylf12, tikeqemif26 and umar_bektembiev1. Sock-puppet accounts mean that a single person or group creates multiple fake identities to make it appear as if multiple different people are working.
The advantage of this technique is that if one account is blocked, the others can continue to function.The Teeno accounts published all 36 packages within just 13 hours and starting at 02:02 UTC and ending at 04:45 UTC.This speed was a warning sign but its a very difficult for automated systems to detect this pattern before damage is already done.
Every Malicious Package Functioned As a Separate Weapon In The Attack
The only thing that makes this attack different from other supply chain attacks is that these 36 packages had eight different types of malware in them.This means that the attackers were not simply copying and pasting the code they were actively testing new tools.
The SafeDep researchers who discovered this attack say this pattern clearly indicates the attacker was working against a specific living system and adjusting in real time. When one technique did not work they would try something new in the next package. This wasn’t the work of a script kid it was a trained, patient and technically advanced threat actor.
Initial Phase Of The Attack Turning Redis into an Exploitation Tool
Shortly after 2 a.m strapi-plugin-cron was published this was the first weapon. The primary target of this package was Redis an extremely popular in memory database used in many production applications. If Redis settings are not configured correctly a very common mistake the attacker can use it to run their own code directly on the server.
This is what this package did. It injected cron jobs onto the server, deployed PHP webshells and created Node.js reverse shells meaning the attacker gained the ability to directly control the victim server from their own computer. This was followed by strapi-plugin-config which attempted to escape the Docker container meaning even if the application was running in an isolated Docker container it attempted to escape and reach the full host server.
Mid-Phase of the Attack From Reconnaissance to Data Exfiltration
When the initial aggressive approaches were not completely successful that the attackers changed their strategy. The packages strapi-plugin-server, strapi-plugin-hooks, strapi-plugin-core published in the next few hours did another smart thing they were activated only on production systems.
The packages contained code that first checked whether the servers hostname started with prod or not. If yes then it would execute. If it was a test or development server it would do nothing. This way the attackers ensured that they were on a real live system and not in a test environment. Connections were established to the attackers own servers on ports 4444 and 8888. Additionally Elasticsearch passwords and cryptocurrency wallet credentials were also being extracted from environment variables.
The Most Dangerous Package An 11 Phase Multi-Stage Attack
At 3:46 UTC another package arrived strapi-plugin-events and this was the most sophisticated weapon yet. SafeDep researchers noted that this package attacked in 11 separate phases. First, it exfiltrated the entire .env file, which contains all application secrets.
Then it searched for secret keys and passwords throughout the filesystem. It dumped all of Redis data. It stole secret tokens from Kubernetes which manages modern cloud infrastructure. It performed network reconnaissance, i.e.tried to see what else was connected to the server nearby. And finally it established a C2 loop that sent updates to the attacker every 5 minutes.This was the result of installing a single package.
Directly Targeting Cryptocurrency Users in the Attack
At 4:45 UTC in the night, another package strapi-plugin-seed revealed something else. This package had hardcoded PostgreSQL database credentials, meaning the attackers already had the username and password of a specific database. They entered that database directly and specifically searched for table names like wallets transactions deposits, withdrawals, hot and old balances.
Then they specifically probed the databases of Guardian, a cryptocurrency payment processor. All this made it clear that this attack was not random. The attackers knew who they were looking for had already identified the target and probably also possessed some inside information about the company.
Final and Most Sophisticated Technique Fileless Persistence
The last two packages of the campaign, both named strapi-plugin-api, versions 3.6.8 and 3.6.9 used the most advanced techniques. Version 3.6.8 performed a simple check if the servers hostname was exactly prod-strapi then it would only activate.
This meant that the attackers had identified the victim’s exact production server hostname. They then inserted a hidden file named .node_gc.js into the /tmp/ directory of that server and installed a crontab entry that would restart this file every minute if someone tried to stop it. Version 3.6.9 was even more advanced as it used fileless execution meaning it left no files on disk.The entire malware was executed using a single command line string and leaving no trace. Modern antivirus and detection tools generally search for files making them very difficult to detect when there are no files.
SafeDep’s Advanced Detection Reveals several Threat Activity
Cybersecurity company SafeDep has an automated dynamic analysis pipeline that automatically runs new packages as they are published on npm to see what they are doing. When strapi-plugin-events was run, the system noticed it was making 24 outbound connections to an unknown IP address 144.31.107.231 and simultaneously searching for secrets throughout the filesystem.
This behavior was unusual, the pipeline alerted, and researchers began investigating. This is how the entire 36 package campaign came to light. The attack occurred on April 3 and discovered the same day and publicly reported on April 5.
It would be wrong to view this attack in isolation. In February 2026 Group-IB reported that software supply chain attacks have become the dominant force reshaping the global cyber threat landscape. Both npm and PyPI for Python have become prime targets. Developers inherently trust their tools. When you install a package, you assume it is safe. Attackers exploit this trust.
This year a single Trivy supply chain attack compromised the European Commission, the LiteLLM compromise affected Mercor and North Korea compromised Axios.The pattern is clear instead of directly hacking systems, the enemy is now hacking the tools that developers use daily.
Immediate Actions to Take If You Installed These Threat Packages
If you use Strapi and you installed any packages with the strapi-plugin prefix that you don’t remember writing yourself, the first thing to do is consider yourself compromised and immediately rotate all credentials database passwords, API keys, JWT secrets, private keys and everything.
Remove the /tmp/.node_gc.js and /tmp/vps_shell.sh files. Check crontab entries for any suspicious entries related to node_gc or curl. And immediately block any network traffic going to the IP address 144.31.107.231. If using Kubernetes revoke all service account tokens. These steps all seem suspicious but not taking these steps on a compromised system is more risky.
Supply Chain Vulnerabilities to Increase in Coming Years
Yeh attack ek reminder hai ke cybersecurity sirf apne systems secure karne ka naam nahi hai or aaj ke zamane mein aapko un tools aur un libraries ko bhi secure rakhna hota hai jo aap use karte hain. Ek single malicious npm package install karna ek developer ki machine se shuru ho sakta hai aur company ke poore production infrastructure tak ja sakta hai.
Attackers tez hain patient hain aur increasingly sophisticated hain. Defense ki taraf se sabse important cheez yeh hai ke apne CI/CD pipelines audit karo packages ko verified sources se lo aur automated tools use karo jo naye packages ki behavior automatically monitor kar sakein. Kyunki agle attack mein shayad 13 ghante bhi nahi lagein.
