Security Concern – Self-Hosted Deployment Compromised (Possible RCE?)

[Shivamjain-muoro]

Hi AdminJS team,

We are using AdminJS as part of our frontend/admin panel setup (Next.js-based stack) and self-hosting the entire application on an AWS EC2 instance along with Nginx, Node.js, MySQL, Docker, and LiveKit.

Recently, we discovered that the EC2 instance was compromised and a crypto-mining process was running from /tmp (the binary had been deleted but was still executing in memory). Even after performing a system cleanup, similar mining processes reappear after some time, and our frontend starts returning timeouts when this happens.

We are currently investigating the root cause. From our inspection:

Only expected ports were publicly exposed (80/443, LiveKit UDP 50000–50020, and required TCP ports).

Database services were bound to localhost.

No obvious unknown listening ports were found during port audits.

At this stage, we are trying to rule out all possibilities and would like to understand:

Has there been any known vulnerability in AdminJS that could potentially allow remote code execution if misconfigured?

Are there any security best practices or hardening recommendations specifically for production deployments of AdminJS?

We are not assuming AdminJS is the cause, but we want to ensure we are not missing any configuration-related security risks.

Any guidance would be greatly appreciated.

Thanks.