A recent supply chain attack has compromised the Strapi ecosystem, a well-known open source headless CMS, through 36 malicious NPM packages. This alarming development was reported by SafeDep, a firm specializing in supply chain security.
Strapi, built on Node.js, empowers developers to create websites, mobile applications, and APIs using their preferred tools. However, this attack poses significant risks, particularly for users of the cryptocurrency payment gateway Guardarian.
NPM Packages Deliver Malicious Payloads
On Friday, SafeDep disclosed that the compromised NPM packages were distributed via four distinct accounts. These packages were designed to execute various harmful activities, including Redis code execution, Docker container breaches, credential theft, and reverse shell deployment.
One of the payloads takes advantage of Redis instances to insert malicious crontab entries, deploy PHP and Node.js reverse shells, and extract sensitive data such as SSH keys and Guardarian API modules.
Advanced Techniques and Targeted Attacks
Another sophisticated payload identified in the attack targets Docker containers, exploiting the overlay filesystem to write shells, initiate reverse shells, and access Elasticsearch and wallet credentials. Additional payloads have been observed deploying reverse shells, stealing credentials, and targeting PostgreSQL databases.
This campaign, as noted by SafeDep, seems particularly focused on Guardarian, evidenced by the probing of related databases, use of specific API modules, and attempts to access wallet files.
Recommendations and Security Measures
SafeDep’s analysis suggests that the attack was meticulously crafted for Strapi users, as seen in the plugin naming conventions, file paths, and environmental variable paths related to Docker images. The focus on Redis instances used in Strapi and the targeting of Linux systems further corroborates this.
Users who have installed these malicious packages are strongly advised to change all credentials immediately. This includes database passwords, API keys, JWT secrets, and any other sensitive information stored on their systems to prevent further compromise.
This incident highlights the increasing sophistication of supply chain attacks and underscores the need for vigilance and robust security measures in open source ecosystems.
