Signs of compromise in a Strapi site often manifest as unauthorized access tokens remaining valid long after logout, unexplained administrative actions you didn’t perform, or sudden deployment of malicious npm packages into your dependencies. If you run Strapi and haven’t updated since May 2026, your site is vulnerable to multiple documented attack vectors including JWT token oracle vulnerabilities, SQL injection in the Content-Type Builder, and CORS bypass attacks. The most critical indicator is finding admin actions or content changes in your logs that you didn’t authorize, combined with JWT tokens that should have expired but are still functioning.
Unlike sudden defacement attacks, Strapi compromise detection requires systematic examination of multiple vectors. An attacker exploiting CVE-2025-3930 could maintain persistent access through renewed JWT tokens for weeks without triggering obvious red flags. A supply chain compromise via malicious npm packages might run silently, exfiltrating credentials or establishing reverse shells to your production Docker containers without any visible site disruption.
Table of Contents
- What Signs Indicate Your Strapi Admin Panel Was Compromised?
- How to Detect Unauthorized Access Through Log Analysis
- Can You Detect the Admin Token Oracle Vulnerability (May 2026)?
- What Are the Indicators of Supply Chain Compromise via Malicious npm Packages?
- What Does Database and File System Compromise Look Like?
- How to Verify Your npm Dependencies Against Known Malicious Packages
- What Immediate Actions Should You Take If You Suspect Compromise?
What Signs Indicate Your Strapi Admin Panel Was Compromised?
Check your admin action logs for entries you don’t recognize, particularly changes to content, user accounts, or API routes made at times you weren’t working. If you see admin activities timestamped to when your entire team was offline, this is your strongest early indicator of unauthorized access. Look specifically for new user accounts created in the admin panel, deleted content you didn’t remove, or published drafts that were never assigned to any team member.
JWT token abuse is especially telling because of CVE-2025-3930, which allows tokens to remain valid for up to 30 days after logout and permits indefinite renewal before that window closes. Request your admin’s JWT token expiration timestamp by checking the `exp` claim in the token (decode it at jwt.io if you don’t have a decoder handy). If the token is older than 30 days but still validates, something is wrong. Compare token issue times (`iat` claim) across your team—if tokens exist that were issued when no administrator was working, investigate immediately.
How to Detect Unauthorized Access Through Log Analysis
Enable detailed strapi request logging if you haven’t already, and review logs for HTTP 200 responses to sensitive endpoints like `/admin/renew-token`, `/admin/init`, and Content-Type Builder endpoints. October 2025 advisories documented CORS misconfiguration vulnerabilities (CVE-2025-53092) affecting versions before 5.20.0 that could allow cross-origin requests to bypass authentication checks. If you’re running Strapi before version 5.20.0, check your CORS policy—if it allows `*` (wildcard) or includes origins you don’t recognize, you’ve been running an open door to token renewal attacks.
A critical limitation of log analysis is that sophisticated attackers can delete or modify logs after gaining access. If you have centralized logging to a service like CloudWatch, Datadog, or Splunk that the attacker couldn’t reach directly, that’s your most reliable record. Local log files on the Strapi server are much less trustworthy if compromise is confirmed. Search logs for SQL injection attempts against the Content-Type Builder endpoints (May 2026 vulnerability), which would appear as unusual character sequences like single quotes, double dashes, or `UNION SELECT` in request parameters.
Can You Detect the Admin Token Oracle Vulnerability (May 2026)?
The unauthenticated admin reset-token oracle vulnerability discovered in May 2026 allows attackers to reset admin passwords without owning an existing account. Check if new admin accounts were created, or if your original admin password no longer works but you didn’t reset it yourself. This vulnerability is particularly dangerous because it leaves minimal audit traces—the attacker doesn’t need to hijack an existing token; they can create their own admin account and perform actions completely independently.
Request logs for POST requests to endpoints that handle password reset or token generation, particularly any requests that returned a 200 status but came from unfamiliar IP addresses. If you’re running May 2026 Strapi or later without applying the published patches, assume your password reset functionality is exploitable. Change your admin password immediately using a completely fresh browser session (clear all cookies first) and from a different network if possible.
What Are the Indicators of Supply Chain Compromise via Malicious npm Packages?
In April 2026, malicious npm packages were published across four attacker accounts targeting Strapi deployments, with payloads designed for Redis code execution, Docker container escape, credential harvesting, and reverse shell deployment. If you notice sudden CPU spikes on your server, unexpected network connections to unknown IP addresses, or process running as the `node` user that you didn’t start, you may have installed a compromised dependency. Compare your `package-lock.json` or `yarn.lock` against your `package.json`—if locked versions don’t match your declared versions, an automated upgrade or injection may have occurred.
The malicious packages didn’t always announce themselves obviously. Some were distributed under names nearly identical to legitimate Strapi packages, differing by only one or two characters. Audit your node_modules directly: look for packages in the `node_modules/.bin/` directory that shouldn’t exist, check modification timestamps on critical packages like `@strapi/core`, and verify that the `package.json` inside each package’s directory matches what npm’s registry shows. If you pulled in dependencies between January and April 2026, explicitly review the packages from that period—Guardarian users were specifically targeted but other Strapi deployments were affected as collateral.
What Does Database and File System Compromise Look Like?
Examine your Strapi database for unexpected tables, columns, or records that you didn’t create. If an attacker gained access through SQL injection (CVE-2026-22599, the Content-Type Builder vulnerability), they may have created new content types or tables. Query your database’s information schema to list all tables and their creation timestamps—anything created outside your maintenance windows is suspicious.
Similarly, check for new user accounts in the `strapi_users` table or new API routes and permissions in the `core_store` table that you didn’t define. File system indicators include unexpected files in your `./public` directory (backup files, shell scripts, or data dumps), modification timestamps on `.js` files in `./node_modules` that don’t match their package versions, and new entries in your `.env` file if an attacker tried to exfiltrate credentials. One warning: if an attacker planted a web shell in your public directory, they may also have planted cron jobs or systemd services to maintain persistence. Check for unexpected cron entries with `crontab -l` (for your current user) and review systemd services in `/etc/systemd/system/` for anything unrecognized.
How to Verify Your npm Dependencies Against Known Malicious Packages
Run `npm audit` to check for known vulnerabilities, but also manually audit your dependencies if you’re concerned about the April 2026 supply chain attack. Create a list of packages in your `package.json`, then visit the npm registry page for each package (npmjs.com/package/[package-name]) and verify that the latest version and download patterns match what you’d expect. Legitimate packages have consistent weekly download counts; if a version suddenly drops to near zero after an update you performed, check the package’s issue tracker to see if others reported problems.
A practical comparison: `npm audit` catches known CVEs, but it won’t catch typosquatting attacks or zero-day malicious packages. Cross-reference your dependencies against security advisories from the Strapi team directly (strapi.io/blog/) rather than relying solely on automated tools. If you installed dependencies during the vulnerable window and can’t definitively verify them, the safest approach is to delete `node_modules`, remove `package-lock.json`, and run `npm install` again from a machine you trust hasn’t been compromised.
What Immediate Actions Should You Take If You Suspect Compromise?
First, rotate all credentials: change admin passwords, regenerate API tokens, and if the attacker accessed your `.env` file, rotate any third-party API keys (databases, CDNs, payment processors). Change your npm publishing tokens (if you publish packages) and any service account credentials the attacker might have discovered. Update Strapi immediately to the latest patched version—as of May 2026, multiple critical vulnerabilities have been documented and fixed. Run `npm update @strapi/*` to pull the latest patches for all core Strapi packages.
Second, rotate your server SSH keys if the attacker gained shell access, and review your SSH logs (`~/.ssh/authorized_keys`) for unauthorized public keys you didn’t add. If running on Docker, rebuild your container images from scratch rather than trying to clean the existing container—malicious package payloads may have planted hooks that reinstall themselves. Review your Git commit history to see if any unauthorized changes were pushed; if so, force-push a clean version after ensuring your local branch is actually clean. Third, enable two-factor authentication on any accounts that don’t have it, particularly npm, hosting provider control panels, and DNS registrar accounts.
- —
