36 Malicious npm Packages Disguised as Strapi Plugins Exploit Redis & PostgreSQL, Deploy Persistent Implants
What Happened – Researchers uncovered 36 npm packages masquerading as Strapi CMS plugins. Each package contains a postinstall.js script that abuses mis‑configured Redis or PostgreSQL instances, opens reverse shells, harvests credentials, and installs a persistent implant on the host.
Why It Matters for TPRM –
- Supply‑chain compromise can affect any downstream organization that pulls npm dependencies, expanding risk beyond the original vendor.
- Persistent implants provide long‑term footholds, increasing the likelihood of data exfiltration or ransomware later.
- The attack leverages common dev‑ops components (Redis, PostgreSQL), highlighting the need for hardened configurations in third‑party services.
Who Is Affected – SaaS platforms, web‑application developers, and any organization that integrates Strapi or other Node.js‑based solutions; broadly impacts the technology and cloud‑infrastructure sectors.
Recommended Actions –
- Conduct an immediate inventory of all npm dependencies, flagging any that reference the 36 malicious packages.
- Verify that all Redis and PostgreSQL instances are not exposed to the internet and enforce strong authentication.
- Apply runtime monitoring for unexpected
postinstallscripts and reverse‑shell activity.
Technical Notes – Attack vector: third‑party dependency injection via npm. Payloads include Redis command injection, PostgreSQL credential dumping, reverse‑shell binaries, and a custom persistent implant written in JavaScript. No CVE is associated because the issue resides in malicious code published to a public registry. Source: The Hacker News