A recent discovery by cybersecurity researchers has unveiled 36 malicious npm packages posing as legitimate Strapi CMS plugins. These packages contain hidden payloads designed to exploit Redis and PostgreSQL, deploy reverse shells, harvest credentials, and install persistent implants.
The deceptive packages use a version number (3.6.8) to masquerade as mature Strapi v3 community plugins. They are named with the prefix “strapi-plugin-” followed by terms like “cron,” “database,” or “server” to deceive developers into downloading them. It’s important to note that official Strapi plugins are scoped under “@strapi/.”
The malicious packages were uploaded by four sock puppet accounts over a short period and include names like “strapi-plugin-cron,” “strapi-plugin-config,” and “strapi-plugin-server.” These packages aim to trick unsuspecting users into compromising their systems.
Further analysis of the packages reveals that the malicious code is hidden within the postinstall script hook, executing silently during the installation process. This allows the code to run with elevated privileges, potentially leading to root access abuse in CI/CD environments and Docker containers.
The payloads delivered by these malicious packages evolve in complexity, ranging from exploiting Redis for remote code execution to targeting PostgreSQL databases for sensitive information. The attackers behind these packages demonstrate a clear progression in their tactics, indicating a calculated and persistent threat.
Given the nature of these attacks and the focus on extracting digital assets, there is speculation that the campaign was specifically aimed at cryptocurrency platforms. Users who have installed any of the identified packages are urged to act swiftly, assume compromise, and update all credentials to mitigate risks.
This discovery comes amidst a series of supply chain attacks targeting various open-source ecosystems, highlighting the growing sophistication and impact of such malicious activities on the cybersecurity landscape.
In a changing threat landscape, it’s crucial for organizations and individuals to remain vigilant and proactive in defending against supply chain attacks, ensuring the integrity and security of their digital environments.
