36 Malicious npm Packages Exploit Redis and PostgreSQL, Deploy Persistent Implants
Recent cybersecurity investigations have identified a serious threat within the npm registry, revealing 36 malicious packages that disguise themselves as Strapi CMS plugins. These packages are engineered to exploit vulnerabilities in Redis and PostgreSQL, deploy reverse shells, harvest credentials, and establish persistent implants on compromised systems.
Overview of the Threat
Each malicious package comprises three files: package.json, index.js, and postinstall.js. Notably, these packages lack descriptions, repositories, or homepages, and they utilize version 3.6.8 to imitate legitimate Strapi v3 community plugins. According to SafeDep, the packages are designed to mislead developers into downloading them by adopting a naming convention that starts with “strapi-plugin-” followed by terms such as “cron,” “database,” or “server.” In contrast, authentic Strapi plugins are correctly scoped under “@strapi/.”
The packages were uploaded by four sock puppet accounts—“umarbek1233,” “kekylf12,” “tikeqemif26,” and “umar_bektembiev1”—within a mere 13-hour window. The complete list of malicious packages includes:
- strapi-plugin-cron
- strapi-plugin-config
- strapi-plugin-server
- strapi-plugin-database
- strapi-plugin-core
- strapi-plugin-hooks
- strapi-plugin-monitor
- strapi-plugin-events
- strapi-plugin-logger
- strapi-plugin-health
- strapi-plugin-sync
- strapi-plugin-seed
- strapi-plugin-locale
- strapi-plugin-form
- strapi-plugin-notify
- strapi-plugin-api
- strapi-plugin-sitemap-gen
- strapi-plugin-nordica-tools
- strapi-plugin-nordica-sync
- strapi-plugin-nordica-cms
- strapi-plugin-nordica-api
- strapi-plugin-nordica-recon
- strapi-plugin-nordica-stage
- strapi-plugin-nordica-vhost
- strapi-plugin-nordica-deep
- strapi-plugin-nordica-lite
- strapi-plugin-nordica
- strapi-plugin-finseven
- strapi-plugin-hextest
- strapi-plugin-cms-tools
- strapi-plugin-content-sync
- strapi-plugin-debug-tools
- strapi-plugin-health-check
- strapi-plugin-guardarian-ext
- strapi-plugin-advanced-uuid
- strapi-plugin-blurhash
Technical Analysis of the Malicious Code
Analysis reveals that the malicious code is embedded within the postinstall script hook, which executes automatically upon running npm install, requiring no user interaction. This execution occurs with the same privileges as the installing user, enabling it to exploit root access in CI/CD environments and Docker containers.
The evolution of the payloads associated with this campaign indicates a systematic approach to exploitation:
- Redis Exploitation: The initial phase involves weaponizing a locally accessible Redis instance for remote code execution. This is accomplished by injecting a crontab entry that downloads and executes a shell script from a remote server every minute. The script writes a PHP web shell and Node.js reverse shell to Strapi’s public uploads directory and scans for sensitive data, including Elasticsearch and cryptocurrency wallet seed phrases.
- Docker Container Escape: Attackers combine Redis exploitation with Docker container escape techniques to write shell payloads to the host system. This phase also includes launching a direct Python reverse shell on port 4444.
- Credential Harvesting: The payloads are designed to scan the system for environment variables and PostgreSQL database connection strings. They gather environment dumps, Strapi configurations, and Redis database information by executing commands like INFO, DBSIZE, and KEYS.
- Database Exploitation: Attackers utilize hard-coded credentials to connect to the target’s PostgreSQL database, querying Strapi-specific tables for sensitive information. This includes extracting cryptocurrency-related data and attempting to connect to multiple Guardarian databases.
- Persistent Access: The final phase involves deploying a persistent implant to maintain remote access to a specific hostname, facilitating credential theft by scanning hard-coded paths.
SafeDep noted that the progression of these payloads illustrates a clear narrative: attackers began aggressively, pivoted to reconnaissance and data collection, and ultimately focused on maintaining persistent access while targeting credential theft.
Implications for the Cybersecurity Landscape
The nature of these payloads, particularly their emphasis on digital assets and the use of hard-coded credentials, suggests that this campaign may have been a targeted attack against cryptocurrency platforms. Users who have installed any of the identified packages are strongly advised to assume compromise and rotate all credentials.
This discovery aligns with a broader trend of supply chain attacks targeting the open-source ecosystem. Recent incidents include:
- A GitHub account named “ezmtebo” submitted over 256 pull requests across various open-source repositories, embedding credential exfiltration payloads that steal secrets through CI logs and PR comments.
- The hijacking of a verified GitHub organization, “dev-protocol,” to distribute malicious trading bots with typosquatted npm dependencies that steal wallet private keys and exfiltrate sensitive files.
- A compromise of the popular Emacs package, “kubernetes-el,” which exploited vulnerabilities in its GitHub Actions workflow to steal secrets and inject destructive code.
These incidents highlight the increasing sophistication of supply chain attacks, which have become a dominant force reshaping the global cyber threat landscape. As attackers target trusted vendors and open-source software, the potential for large-scale, cross-border impacts escalates.
Source: cyberwarriorsmiddleeast.com.
Explore the latest digital editions of FAME Delivered in the Magazine section
Published on 2026-04-05 09:07:00 • By FAME Delivered News Desk