Summary

Cybersecurity researchers have identified 36 malicious npm packages masquerading as Strapi CMS plugins. These packages are designed to exploit Redis and PostgreSQL, deploy reverse shells, harvest credentials, and install persistent implants.

Key Points

• 36 malicious packages were found in the npm registry, disguised as Strapi CMS plugins.
• The packages target Redis and PostgreSQL databases for exploitation.
• Each package includes three files: package.json, index.js, and postinstall.js.
• The malicious packages facilitate reverse shell deployment and credential harvesting.
• Persistent implants are dropped on compromised systems.

Analysis

The discovery of these malicious npm packages highlights the ongoing threat posed by supply chain attacks in software development. By targeting widely-used databases like Redis and PostgreSQL, attackers can gain unauthorized access and maintain persistence in compromised environments. This underscores the importance of scrutinizing third-party packages and plugins before integration into production systems.

Conclusion

IT professionals should conduct thorough audits of npm packages and plugins, especially those without descriptions or repositories. Regularly update and monitor systems for unusual activity to mitigate the risk of exploitation by such malicious packages.