← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Thirty-Six Malicious npm Strapi Packages Deploy Redis RCE, Database Theft, and Persistent C2 - Real-time Open Source Software Supply Chain Security
WHITE darksword 2026-04-05 Modified: 2026-04-05
5
IOCs
LOW VOLUME
The SafeDep Team reveals details of the Strapi CMS plugins that were deployed to launch a series of malicious packages, including a Redis RCE, a database theft, and a persistent C2.
strongaprildevnullpayloadredisstrapiphaseconfig setjsonc2 agentpythonmalwareconfigstopharvesterinfotrojanbackgreppaymentdownloadpassfalsecoldshelltargetterminalattackcodeinstallremote access
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Remote Access
Indicators of Compromise (5)
All IPv4 URL domain
TYPEINDICATORDESCRIPTIONCREATED
IPv4 144.31.107.231 CC=US ASN=ASNone 2026-04-05
URL http://144.31.107.231:4444 2026-04-05
URL http://144.31.107.231:8888 2026-04-05
URL http://144.31.107.231:9999 2026-04-05
domain subprocess.call 2026-04-05
References (1)
↗ https://safedep.io/malicious-npm-strapi-plugin-events-c2-agent