Unveiling the Threat: 36 Malicious npm Packages Targeting Redis and PostgreSQL
In a recent cybersecurity revelation, researchers have identified 36 malicious packages within the npm registry, masquerading as plugins for the Strapi Content Management System (CMS). These packages are engineered to exploit Redis and PostgreSQL databases, deploy reverse shells, harvest credentials, and establish persistent implants on compromised systems.
Deceptive Packaging and Distribution
Each of these malicious packages comprises three files: `package.json`, `index.js`, and `postinstall.js`. Notably, they lack descriptions, repositories, or homepages, and uniformly adopt version 3.6.8 to project the appearance of mature Strapi v3 community plugins. The naming convention follows the pattern strapi-plugin- appended with terms like cron, database, or server, aiming to deceive developers into believing they are legitimate plugins. It’s crucial to note that official Strapi plugins are scoped under @strapi/, distinguishing them from these impostors.
The packages were uploaded over a span of 13 hours by four sock puppet accounts: umarbek1233, kekylf12, tikeqemif26, and umar_bektembiev1. The identified packages include:
– strapi-plugin-cron
– strapi-plugin-config
– strapi-plugin-server
– strapi-plugin-database
– strapi-plugin-core
– strapi-plugin-hooks
– strapi-plugin-monitor
– strapi-plugin-events
– strapi-plugin-logger
– strapi-plugin-health
– strapi-plugin-sync
– strapi-plugin-seed
– strapi-plugin-locale
– strapi-plugin-form
– strapi-plugin-notify
– strapi-plugin-api
– strapi-plugin-sitemap-gen
– strapi-plugin-nordica-tools
– strapi-plugin-nordica-sync
– strapi-plugin-nordica-cms
– strapi-plugin-nordica-api
– strapi-plugin-nordica-recon
– strapi-plugin-nordica-stage
– strapi-plugin-nordica-vhost
– strapi-plugin-nordica-deep
– strapi-plugin-nordica-lite
– strapi-plugin-nordica
– strapi-plugin-finseven
– strapi-plugin-hextest
– strapi-plugin-cms-tools
– strapi-plugin-content-sync
– strapi-plugin-debug-tools
– strapi-plugin-health-check
– strapi-plugin-guardarian-ext
– strapi-plugin-advanced-uuid
– strapi-plugin-blurhash
Mechanism of Exploitation
The malicious code resides within the `postinstall` script hook, which executes automatically upon running `npm install`, requiring no user interaction. This script operates with the same privileges as the installing user, posing significant risks, especially in environments where it runs with root access, such as Continuous Integration/Continuous Deployment (CI/CD) pipelines and Docker containers.
Evolution of Malicious Payloads
The payloads delivered by these packages have evolved through several stages:
1. Redis Exploitation and Web Shell Deployment: Initially, the packages targeted locally accessible Redis instances to achieve remote code execution. They injected a crontab entry to download and execute a shell script from a remote server every minute. This script would write a PHP web shell and a Node.js reverse shell into Strapi’s public uploads directory. Additionally, it scanned the system for sensitive information, such as Elasticsearch data and cryptocurrency wallet seed phrases, and attempted to exfiltrate a Guardarian API module.
2. Docker Container Escape and Reverse Shell Activation: The attackers combined Redis exploitation with techniques to escape Docker containers, allowing them to write shell payloads to the host system outside the container. They also launched a direct Python reverse shell on port 4444 and inserted a reverse shell trigger into the application’s `node_modules` directory via Redis.
3. Credential Harvesting and System Reconnaissance: Subsequent payloads focused on scanning the system for environment variables and PostgreSQL database connection strings. They expanded their capabilities to harvest credentials and perform reconnaissance, gathering environment dumps, Strapi configurations, Redis database information (using commands like INFO, DBSIZE, and KEYS), network topology mapping, and extracting Docker/Kubernetes secrets, cryptographic keys, and cryptocurrency wallet files.
4. PostgreSQL Exploitation and Persistent Implant Deployment: The most advanced payloads targeted PostgreSQL databases by connecting to them using hardcoded credentials. They executed arbitrary SQL commands to create new tables, insert malicious data, and establish persistent implants within the database, ensuring continued access and control over the compromised systems.
Implications and Recommendations
This campaign underscores the growing sophistication of supply chain attacks within the open-source ecosystem. By disguising malicious packages as legitimate plugins, attackers can infiltrate development environments, leading to potential data breaches, unauthorized access, and system compromises.
To mitigate such risks, developers and organizations should:
– Verify Package Authenticity: Always confirm the legitimacy of packages by checking their official sources, maintainers, and associated metadata.
– Monitor for Suspicious Activity: Implement monitoring tools to detect unusual behaviors, such as unexpected network connections or unauthorized changes to system files.
– Limit Privileges: Run installation processes with the least privileges necessary to minimize potential damage from malicious scripts.
– Regularly Update Dependencies: Keep all software dependencies up to date to benefit from security patches and improvements.
– Educate Development Teams: Provide training on the risks associated with third-party packages and the importance of supply chain security.
By adopting these practices, organizations can enhance their resilience against supply chain attacks and protect their development environments from malicious actors.
