A new supply chain attack has been uncovered targeting users of Guardarian through malicious packages published on the NPM registry. According to SafeDep, threat actors uploaded 36 fake packages disguised as plugins for Strapi, an open-source content management system widely used by developers.
The malicious packages were distributed across multiple accounts and engineered to deliver a wide range of harmful payloads. These included capabilities such as executing remote shell commands, escaping Docker containers, and harvesting sensitive credentials from compromised systems, making the attack both versatile and highly dangerous.
Researchers identified several advanced attack techniques embedded within these packages. One payload targeted Redis instances, enabling attackers to inject malicious tasks, deploy web shells, and extract sensitive data, including API-related information connected to Guardarian. Another payload focused on container escape mechanisms, allowing attackers to break out of isolated environments, write malicious scripts to host systems, and access credentials stored in services like Elasticsearch and digital wallets.
Further analysis revealed additional payloads targeting PostgreSQL databases, scanning systems for cryptocurrency wallet files and private keys, and exfiltrating critical Strapi configuration data. Attackers also established persistence using reverse shells and long-term implants, ensuring continued access to compromised environments.
SafeDep noted that the attack evolved significantly over time initially taking aggressive approaches, then shifting toward reconnaissance and data collection, and ultimately focusing on persistent access combined with targeted credential theft.
The campaign appears to be highly tailored to the Strapi ecosystem, as evidenced by the naming conventions of the malicious plugins, targeted file paths, and focus on Linux-based deployment environments commonly used by developers.
Security experts are urging developers who may have installed any of these packages to immediately rotate all credentials, including database passwords, API keys, and authentication tokens, to minimize potential damage.
Ultimately, this incident highlights the growing risk of software supply chain attacks within open-source ecosystems. As attackers increasingly weaponize seemingly legitimate third-party packages, organizations must adopt stricter dependency management, continuous monitoring, and verification practices to safeguard development environments and enterprise systems.
Recommended Cyber Technology News:
- Cycore Helps Cocoon Achieve SOC 2 Compliance Fast
- QuiX Quantum Achieves Breakthrough in Photonic Error Mitigation
- Microsoft Teams Fake Domains Used to Spread Malware
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
