A new supply chain attack highlights growing risks in open source ecosystems, where attackers are increasingly using trusted package repositories to distribute malicious code at scale. SafeDep has uncovered 36 malicious npm packages disguised as plugins for Strapi, designed to exploit Redis and PostgreSQL systems, steal credentials, and deploy persistent backdoors. The npm malware Redis PostgreSQL attack demonstrates how attackers are leveraging developer trust and automation pipelines to compromise environments without direct user interaction.
The packages mimic legitimate Strapi plugins by using naming conventions such as “strapi plugin cron” or “strapi plugin database,” and share consistent versioning to appear credible. However, unlike official plugins scoped under “@strapi,” these packages were uploaded by fake accounts within a short time frame, indicating a coordinated campaign.
At the core of the attack is malicious code embedded within the postinstall script, which executes automatically during installation. This allows the malware to run with the same privileges as the user, including root access in CI CD pipelines and containerized environments, making it particularly dangerous for enterprise deployments.
The npm malware Redis PostgreSQL attack evolved through multiple stages. Early payloads focused on exploiting Redis instances to achieve remote code execution by injecting cron jobs that downloaded and executed malicious scripts. These scripts deployed web shells and reverse shells while scanning systems for sensitive data such as cryptocurrency wallet information and API keys.
Subsequent iterations expanded capabilities to include Docker container escape techniques, allowing attackers to write payloads outside container boundaries. Additional payloads introduced credential harvesting and reconnaissance functions, collecting environment variables, database connection strings, and infrastructure details including Kubernetes secrets and network topology.
In later stages, attackers leveraged hard coded credentials to directly access PostgreSQL databases, extracting sensitive data from application tables and searching for financial information. The campaign ultimately deployed persistent implants designed to maintain long term access to compromised systems and enable ongoing credential theft.
SafeDep noted that the progression of payloads reveals a clear attacker strategy, shifting from aggressive exploitation attempts to reconnaissance and targeted persistence when initial methods proved less effective. The use of specific hostnames and financial data indicators suggests the possibility of a targeted attack against cryptocurrency platforms.
The npm malware Redis PostgreSQL attack is part of a broader surge in supply chain threats affecting open source ecosystems. Recent incidents have involved compromised GitHub repositories, malicious Python packages, and infected development tools, all aimed at exploiting trust relationships within software development workflows.
Security experts warn that such attacks can quickly scale across organizations, as compromised packages are integrated into automated pipelines and widely used applications. Developers and organizations are advised to audit dependencies, verify package sources, and rotate credentials if any suspicious packages have been installed.
The rise of supply chain attacks underscores a fundamental shift in the threat landscape, where attackers are targeting the software development process itself. As the npm malware Redis PostgreSQL attack illustrates, securing code dependencies and build environments is becoming essential to protecting modern applications and infrastructure.
Recommended Cyber Technology News :
- Operation NoVoice Malware Infects 2.3M Android Devices
- China Warns Wearables Pose Espionage Data Risks
- Solana DeFi Breach Leads to $285M Crypto Loss
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
