Cybersecurity researchers have uncovered a sophisticated campaign involving 36 malicious packages within the npm (Node Package Manager) registry. These packages were deceptively disguised as legitimate plugins for the popular Strapi content management system (CMS). However, their true purpose was far more sinister: to exploit vulnerabilities in Redis and PostgreSQL databases, deploy reverse shells for remote access, harvest sensitive credentials, and ultimately install a persistent backdoor implant on compromised systems. This discovery highlights the growing threat of software supply chain attacks, where attackers poison widely used repositories to distribute malware to unsuspecting developers.
Analysis reveals a consistent and modular attack structure. Each malicious package contained three core files: `package.json`, `index.js`, and `postinstall.js`. Notably, the packages lacked standard metadata like descriptions or repository links, a common red flag for malicious uploads. The `postinstall.js` script is the primary attack vector, executing automatically upon package installation. Its functionality is multi-faceted. First, it attempts to connect to a local Redis server using default or weak credentials. If successful, it can execute arbitrary commands via the Redis `EVAL` command, potentially leading to full server compromise. Simultaneously, the script scans for PostgreSQL database connections, aiming to steal credentials and execute malicious SQL queries to establish persistence.
The campaign's ultimate objective is to deploy a persistent, fileless implant known as "Krut." This sophisticated malware resides in memory, making detection by traditional file-scanning antivirus solutions difficult. Krut is designed to maintain long-term access to infected systems, enabling attackers to conduct further reconnaissance, data exfiltration, or deploy additional payloads. The use of legitimate platforms like Strapi as a lure is particularly effective, as developers constantly seek plugins to extend functionality, making them more likely to install these trojanized packages without thorough vetting.
This incident serves as a critical reminder for organizations and developers to implement robust software supply chain security practices. Key recommendations include: rigorously vetting all third-party dependencies, especially those with minimal metadata or recent creation dates; employing software composition analysis (SCA) tools to detect known vulnerabilities and malicious code; and enforcing strict network segmentation to limit database services like Redis and PostgreSQL from being exposed to unnecessary network access. Vigilance and a defense-in-depth strategy are essential to mitigating the risks posed by such stealthy and persistent threats in the open-source ecosystem.
