An unknown threat actor published 36 malicious npm packages over 13 hours impersonating Strapi CMS plugins, deploying an eight-stage attack chain capable of RCE, container escape, credential harvesting, and cryptocurrency wallet theft targeting Polymarket and bittensor-wallet assets. The attacker demonstrated prior reconnaissance, with hard-coded production database credentials and hostnames embedded in payloads. Organizations using Strapi CMS should audit all installed npm packages against the official @strapi organization, isolate hosts matching the ‘prod-strapi’ hostname, and implement SCA tooling with private registry mirroring.