Cybersecurity researchers have identified 36 malicious packages within the npm software registry. These packages were disguised as plugins for the Strapi content management system but contained hidden code designed to exploit databases and establish long-term access on compromised systems.

The discovery was made by security analysts who monitor open-source repositories for threats. The malicious packages were found to facilitate the exploitation of Redis and PostgreSQL databases, deploy reverse shells for remote control, harvest system credentials, and install a persistent backdoor.

Packaging and Deployment

Each of the 36 packages contained a consistent set of three files: a package.json manifest, an index.js file, and a postinstall.js script. The packages lacked descriptions and repository links, common red flags for suspicious software. The postinstall.js script is of particular concern as it executes automatically when the package is installed via npm, allowing the malicious code to run without further user interaction.

The primary function of the payload was to target Redis, an in-memory data structure store, and PostgreSQL, a popular open-source relational database. The malicious scripts attempted to connect to these services using default or weak credentials, a technique known as credential brute-forcing. Upon successful access, the code could execute arbitrary commands, leading to a full system compromise.

Capabilities and Impact

Beyond database attacks, the packages were equipped to deploy a reverse shell. This type of shell provides an attacker with a direct command-line connection from the victim’s machine back to a server they control, enabling persistent remote access. Furthermore, the malware included functionality to harvest sensitive credentials from the infected environment and exfiltrate them to an external server.

The final stage of the attack involved dropping a persistent implant. This implant is designed to survive system reboots and maintain a foothold on the infected server, allowing for ongoing surveillance, data theft, or lateral movement within a network. The combination of these capabilities represents a significant threat to developers and organizations that inadvertently install the tainted packages.

Supply Chain Security Concerns

This incident highlights the ongoing risks within software supply chains, particularly in open-source ecosystems like npm. Attackers frequently use “typosquatting” or masquerade as useful libraries to trick developers into including malicious code in their projects. The npm registry, which hosts over two million packages, is a frequent target for such campaigns due to its widespread use in web development.

Security experts consistently advise developers to scrutinize package dependencies, verify publisher authenticity, and maintain updated security tooling. Organizations are encouraged to implement software composition analysis tools that can automatically detect known vulnerabilities and malicious packages within their codebase.

Next Steps and Mitigation

The malicious packages have been reported to npm’s security team and are expected to be removed from the registry. Developers who may have installed any suspicious Strapi plugin packages are urged to audit their projects and dependencies immediately. Security researchers recommend checking for any unknown or recently added packages with no description and reviewing system logs for unexpected connections to Redis or PostgreSQL services.

Looking ahead, similar campaigns are anticipated as attackers continue to exploit trust in open-source repositories. The broader security community is likely to increase scrutiny on package metadata and automated installation scripts. Official advisories with specific package names and indicators of compromise are expected to be released to aid in detection and remediation efforts.

Source: Based on reports from cybersecurity researchers.