A threat actor has targeted the Strapi ecosystem in a fresh supply chain attack involving 36 malicious NPM packages, according to supply chain security firm SafeDep.
An open source headless CMS built on Node.js, Strapi allows developers to create websites and mobile applications and generate APIs, enabling them to use their favorite tools and frameworks.
On Friday, SafeDep warned that 36 NPM packages published across four accounts as part of a single campaign are delivering various malicious payloads capable of Redis code execution, Docker container escape, credential harvesting, and reverse shell deployment.
One of the payloads exploits Redis instances to inject crontab entries, deploy PHP webshells and Node.js reverse shells, inject SSH keys, and exfiltrate a Guardarian API module.
Another payload was designed to escape Docker containers via overlay filesystem discovery, write shells to host directories, launch a reverse shell, and read Elasticsearch and wallet credentials.
Other payloads were observed deploying reverse shells, harvesting credentials, targeting PostgreSQL databases, searching for wallet/key files, exfiltrating Strapi configurations, and deploying persistent implants.
The campaign, SafeDep says, is targeting the cryptocurrency payment gateway Guardarian, based on direct probing of databases associated with it, the use of a Guardarian API module, and the targeting of specific wallet files.
“The eight payloads show a clear narrative: the attacker started aggressive (Redis RCE, Docker escape), found those approaches weren’t working, pivoted to reconnaissance and data collection, used hardcoded credentials for direct database access, and finally settled on persistent access with targeted credential theft,” the cybersecurity firm notes.
SafeDep assesses that the campaign was tailored for Strapi users, based on the plugin naming scheme, file paths for configuration directories, environmental variable paths for Docker images, the targeting of Redis instances used as Strapi cache backends, and the focus on Linux systems.
Users who installed the malicious packages are advised to rotate all credentials, including database passwords, API keys, JWT secrets, and other secrets stored on their systems.
Related: European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack
Related: Telnyx Targeted in Growing TeamPCP Supply Chain Attack
Related: NPM Package With 56,000 Downloads Steals WhatsApp Credentials, Data
Related: Mercor Hit by LiteLLM Supply Chain Attack
