HACKERS launched a fresh supply chain campaign against Strapi users by publishing 36 NPM packages that masquerade as Strapi plugins, delivering payloads capable of Redis code execution, Docker container escape, credential harvesting, and reverse shell deployment, according to SafeDep. The campaign appears tailored to the cryptocurrency payment gateway Guardarian, with direct probing of databases tied to it, use of a Guardarian API module, and targeting of specific wallet files.
The threat actor variety and payloads include attempts to inject SSH keys, exfiltrate Strapi configurations, and maintain persistent access through credential theft, the article notes. SafeDep describes an attacker progression from Redis RCE and Docker escapes to reconnaissance and data collection, culminating in persistence via targeted credentials.
Users who installed the malicious packages are advised to rotate all credentials, including database passwords, API keys, JWT secrets, and other secrets stored on their systems. The report is dated 6 April 2026 (7:40 AM ET).