Supply Chain Alert: 36 Malicious npm Packages Targeting Strapi CMS and Databases

TL;DR

Cybersecurity researchers have uncovered a coordinated campaign involving 36 malicious npm packages disguised as Strapi CMS plugins. These packages exploit Redis and PostgreSQL instances, deploy reverse shells, and drop persistent implants. The attack appears to specifically target cryptocurrency platforms using hard-coded credentials and targeted hostnames.

---

Overview of the Attack

Security firm SafeDep recently identified a cluster of 36 malicious packages on the npm registry. These packages were designed to mimic legitimate plugins for Strapi, a popular open-source Headless CMS.

To appear authentic, the attackers used the naming convention strapi-plugin-[name] (e.g., strapi-plugin-cron, strapi-plugin-database). However, official Strapi plugins are typically scoped under the @strapi/ namespace. The malicious versions were uploaded over a 13-hour window by four sock puppet accounts:

• umarbek1233
• kekylf12
• tikeqemif26
• umar_bektembiev1

Every package used version 3.6.8 to simulate the appearance of a mature, stable community plugin, despite lacking descriptions, repository links, or homepages.

Technical Deep Dive: The Infection Vector

The malicious code is embedded within the postinstall.js file. Because this script is triggered automatically during npm install, the payload executes without any user interaction. In CI/CD environments and Docker containers, these scripts often run with high-level privileges, allowing attackers to abuse root access.

Evolutionary Payloads

Researchers observed eight distinct stages in the evolution of the payloads, indicating a "trial-and-error" approach by the threat actor:

1. Redis Exploitation: Weaponizing local Redis instances to inject crontab entries that download shell scripts every minute.
2. Web & Reverse Shells: Writing PHP web shells and Node.js reverse shells into Strapi’s public upload directories.
3. Docker Escape: Attempting to break out of containers to write payloads directly onto the host system.
4. Credential Harvesting: Scanning for environment variables, Elasticsearch secrets, and cryptocurrency wallet seed phrases.
5. Direct Database Access: Using hard-coded credentials to connect to PostgreSQL databases and querying Strapi-specific tables for sensitive data.
6. Persistence: Deploying an implant specifically designed to maintain access to a hostname labeled prod-strapi.

A Targeted Cryptocurrency Campaign?

The nature of the collected data—specifically targeting Guardarian API modules, cryptocurrency wallet files, and "hot/cold" balance patterns—suggests this was not a random attack. The presence of hard-coded database credentials implies the attackers may have already possessed internal data from a prior compromise or a secondary leak.

The Broader Supply Chain Landscape

This incident is part of a larger, "industrialized" trend in supply chain compromises. Other recent attacks noted by researchers include:

• GitHub "ezmtebo" Account: 256+ malicious pull requests designed to leak secrets via CI logs.
• Polymarket Hijack: Typosquatted dependencies used to steal private keys from trading bots.
• VS Code Extensions: Malicious extensions by "IoliteLabs" and "KhangNghiem" used to deploy Socket.IO RATs and clipboard monitors.
• PyPI Backdoors: Typosquatted packages like pyronut (targeting Pyrogram) and compromised versions of bittensor-wallet used for stealthy data exfiltration.

Conclusion and Recommendations

The complexity of this campaign highlights how attackers are turning development pipelines into distribution channels for malware. By pivoting from aggressive RCE attempts to stealthy reconnaissance and persistence, the threat actors demonstrated a high level of persistence.

If you use Strapi CMS:

1. Review Dependencies: Ensure all plugins are from the official @strapi/ scope or verified community sources.
2. Audit Logs: Check for any unknown postinstall executions in your CI/CD pipelines.
3. Rotate Credentials: If any of the flagged packages (list below) were installed, assume compromise and rotate all database passwords, API keys, and environment secrets immediately.

Flagged Packages Include:

strapi-plugin-cron, strapi-plugin-config, strapi-plugin-server, strapi-plugin-database, strapi-plugin-core, strapi-plugin-nordica, strapi-plugin-finseven, strapi-plugin-advanced-uuid, and strapi-plugin-blurhash (among others).

---

Source: The Hacker News