Guardarian Users Targeted With Malicious Strapi NPM Packages
36 malicious NPM packages posing as Strapi plugins targeted Guardarian users.
Summary
A threat actor published 36 malicious NPM packages across four accounts, all posing as legitimate Strapi plugins, to compromise Guardarian cryptocurrency gateway users. The payloads delivered various attack capabilities including Redis code execution, Docker container escape, credential harvesting, reverse shell deployment, and persistent implants. The campaign shows an evolution from aggressive initial attacks to reconnaissance and targeted credential theft when initial approaches failed.
Full text
A threat actor has targeted the Strapi ecosystem in a fresh supply chain attack involving 36 malicious NPM packages, according to supply chain security firm SafeDep. An open source headless CMS built on Node.js, Strapi allows developers to create websites and mobile applications and generate APIs, enabling them to use their favorite tools and frameworks. On Friday, SafeDep warned that 36 NPM packages published across four accounts as part of a single campaign are delivering various malicious payloads capable of Redis code execution, Docker container escape, credential harvesting, and reverse shell deployment. One of the payloads exploits Redis instances to inject crontab entries, deploy PHP webshells and Node.js reverse shells, inject SSH keys, and exfiltrate a Guardarian API module. Another payload was designed to escape Docker containers via overlay filesystem discovery, write shells to host directories, launch a reverse shell, and read Elasticsearch and wallet credentials. Other payloads were observed deploying reverse shells, harvesting credentials, targeting PostgreSQL databases, searching for wallet/key files, exfiltrating Strapi configurations, and deploying persistent implants.Advertisement. Scroll to continue reading. The campaign, SafeDep says, is targeting the cryptocurrency payment gateway Guardarian, based on direct probing of databases associated with it, the use of a Guardarian API module, and the targeting of specific wallet files. “The eight payloads show a clear narrative: the attacker started aggressive (Redis RCE, Docker escape), found those approaches weren’t working, pivoted to reconnaissance and data collection, used hardcoded credentials for direct database access, and finally settled on persistent access with targeted credential theft,” the cybersecurity firm notes. SafeDep assesses that the campaign was tailored for Strapi users, based on the plugin naming scheme, file paths for configuration directories, environmental variable paths for Docker images, the targeting of Redis instances used as Strapi cache backends, and the focus on Linux systems. Users who installed the malicious packages are advised to rotate all credentials, including database passwords, API keys, JWT secrets, and other secrets stored on their systems. Related: European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Related: Telnyx Targeted in Growing TeamPCP Supply Chain Attack Related: NPM Package With 56,000 Downloads Steals WhatsApp Credentials, Data Related: Mercor Hit by LiteLLM Supply Chain Attack Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire North Korean Hackers Drain $285 Million From Drift in 10 SecondsCisco Patches Critical and High-Severity Vulnerabilities250,000 Affected by Data Breach at Nacogdoches Memorial HospitalMercor Hit by LiteLLM Supply Chain AttackSophisticated CrystalX RAT EmergesLinx Security Raises $50 Million for Identity Security and GovernanceDepthfirst Raises $80 Million in Series B FundingNew DeepLoad Malware Dropped in ClickFix Attacks Latest News North Korean Hackers Target High-Profile Node.js MaintainersFortinet Rushes Emergency Fixes for Exploited Zero-DayEuropean Commission Confirms Data Breach Linked to Trivy Supply Chain AttackTrueConf Zero-Day Exploited in Asian Government AttacksIn Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by RansomwareCritical ShareFile Flaws Lead to Unauthenticated RCEMobile Attack Surface Expands as Enterprises Lose ControlReact2Shell Exploited in Large-Scale Credential Harvesting Campaign Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveScott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea.Kai has named Nick Degnan as Chief Revenue Officer.Joe Sullivan has been appointed Strategic Advisor at cloud security firm Upwind.More People On The MoveExpert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Flipboard Reddit Whatsapp Whatsapp Email
Indicators of Compromise
- malware — Malicious Strapi NPM packages (36 total)
- malware — Redis RCE payload
- malware — Docker escape payload
- malware — Credential harvesting payload