Linux Strapi Medium Redis RCE Threats from Malicious npm Packages

Attack Delivery: npm Postinstall Execution

The campaign bypassed traditional runtime security by embedding malicious code in the of the package.json file. According to official npm documentation, these lifecycle scripts execute automatically upon installation.

In a modern CI/CD pipeline or a developer’s local environment, this creates a zero-click infection vector. Because many build servers run with elevated or container-root privileges, the malware immediately inherits the ability to probe the underlying Linux host without further user interaction.

Initial Exploitation: Redis RCE and Shell Access

Once the postinstall hook fires, the malware doesn't just sit there—it immediately goes to work on the underlying Linux infrastructure. The most aggressive tactic identified by researchers was the weaponization of locally accessible Redis instances.

• The Redis Persistence Trick: Using the CONFIG SET command, the script reconfigures the Redis working directory to point directly to /var/spool/cron/crontabs/. By forcing a database "save" to this directory, the attacker effectively injects a malicious cron job into the system scheduler. This ensures that even if the npm process is killed, the attacker’s shell script re-downloads and executes every 60 seconds.
• Breaking Out with Reverse Shells: To bridge the gap between the application and the attacker, the payloads spawn multiple reverse shells—primarily on port 4444—to establish a persistent command link. In a particularly bold move, the script utilizes mknod and dd to create raw device nodes. This technique allows the malware to read directly from the disk blocks, potentially bypassing standard filesystem permissions to scrape sensitive data like SSH private keys or raw database files.

Expansion: Moving Laterally Through the Stack

With a foothold established, the malware shifts from exploitation to a full-scale reconnaissance mission. It doesn't just look for local files; it looks for the keys to the entire cloud kingdom.

The payloads perform a comprehensive sweep of the environment, systematically harvesting secrets from CI/CD logs and configuration files. This includes a total "environment dump" where the malware captures every active variable in process.env—snagging everything from AWS session tokens to internal JWT secrets. Beyond the host, the script maps out the local network, probing for Docker sockets and Kubernetes API endpoints, searching for a way to pivot from a single compromised container to the broader production cluster.

Expansion: Credential Harvesting and Infrastructure Access

As the attack progressed, it shifted from exploitation to reconnaissance. The malware collected environment variables, configuration data, and credentials from the host system.

It accessed .env files and application configs, extracted API keys and JWT secrets, and searched for cloud and container credentials, including Kubernetes service account tokens.

The payload also gathered basic network information and checked for access to Docker sockets and internal services, which could be used to move further inside the environment.

Targeting Indicators: Guardarian References

The smoking gun for this being a targeted operation lies in the hostname check. One payload variant remained dormant unless the host identified itself as prod-strapi.

Furthermore, the malware included hardcoded PostgreSQL credentials to target databases named guardarian, guardarian_payments, exchange, and custody. This level of specificity strongly indicates that the attackers had prior knowledge of the target's internal infrastructure and used this npm campaign as a persistent "backdoor" into the company's financial core.

Persistence and Evasion Techniques

To ensure long-term access, the attackers utilized sophisticated persistence mechanisms that avoid standard filesystem detection:

• Hidden Processes: Payloads ran a background /proc scanner for 10 minutes after the main script exited.
• Fileless Execution: Later variants avoided the disk entirely, running a detached process via node -e that stayed in system memory long after the npm install process was terminated.
• SSH Backdoors: The script attempted to append rogue public keys to ~/.ssh/authorized_keys, providing a permanent "front door" for the attackers.

Supply Chain Risk in CI/CD Pipelines

This incident is part of a 2026 surge in "high-velocity" supply chain hits, arriving just days after the Axios maintainer account was hijacked to push malicious Remote Access Trojans.

Industry reports confirm that the npm ecosystem is now a primary vector for targeting CI/CD pipelines. When pipelines blindly execute unverified code during the build phase, the "trusted" dependency graph becomes a Trojan horse for the entire production environment. Sonatype’s latest research suggests these attacks have increased by over 200% year-over-year.

Mitigation and Response

Organizations using Strapi or Node-based workflows should follow these recovery protocols immediately:

• Audit for Shadow Plugins: Legitimate Strapi plugins are strictly scoped under @strapi/. Any unscoped plugin versioned at 3.6.8 is a red flag.
• Rotate All Credentials: Assume any.env file or database password on an infected host is now compromised.
• Inspect Persistence: Check /etc/crontab and /tmp/ for hidden Node.js processes or scripts.
• Block C2 Egress: Block all outbound traffic to known C2 infrastructure and restrict outbound connections from production servers.