Security researchers identified 36 malicious packages in the npm registry masquerading as Strapi CMS plugins. These packages contain three core files: package.json, index.js, and postinstall.js. They lack descriptions, repository links, and typical metadata, raising immediate suspicion.

The primary goal of these packages is to exploit Redis and PostgreSQL databases through embedded payloads. Once installed, they execute a series of harmful actions including deploying reverse shells, credential harvesting mechanisms, and dropping persistent implants on the host system. The postinstall.js script plays a critical role by triggering the execution chain during the npm installation process.

Persistence is achieved via the implant, which maintains access to compromised environments even after system reboots or attempts to remove the initial payload. Credential exfiltration targets database credentials stored or accessible in the environment, potentially allowing threat actors to escalate privileges or move laterally within network infrastructure.

Command and Control (C2) communication is facilitated through the reverse shell, enabling remote attackers to execute arbitrary commands and control compromised hosts. The use of npm as a delivery mechanism increases the attack surface significantly, as developers may inadvertently install these malicious packages under the assumption they are legitimate Strapi CMS plugins.

Affected platforms include any environment running Node.js applications that integrate with npm packages, specifically those leveraging Strapi CMS and associated Redis or PostgreSQL databases. The attack vector exploits trust in open-source package repositories and the common practice of dependency installation during development and deployment.

Detection signatures include monitoring for npm packages without standard metadata, suspicious postinstall script activities, unexpected network communications to unrecognized IP addresses or domains post-installation, and anomalous process behaviors indicative of reverse shell connections. Tools such as VirusTotal, npm audit, and custom YARA rules targeting postinstall.js patterns can aid in detection.

Removal guidance involves immediate uninstallation of the identified malicious packages from the project dependencies, revocation and rotation of any exposed database credentials, and a thorough system scan for residual implants or backdoors. Applying strict package vetting policies, using package integrity checks (e.g., npm's package-lock.json verification), and enabling runtime behavior monitoring can mitigate future risks.

These findings were reported by cybersecurity vendors including Sonatype and JFrog, highlighting a growing trend of supply chain attacks targeting popular JavaScript ecosystems. No specific CVE IDs have been assigned yet. Organizations using Strapi CMS with npm should audit their dependencies urgently to prevent exploitation.

Related: