A recent cybersecurity incident has highlighted serious risks in the open-source ecosystem. It turned out that 36 malicious packages were uploaded to the npm registry. These packages were designed to trick developers who use Strapi, a popular content management system that runs on Node.js. The attackers were clever and gave these packages names that looked like legitimate Strapi plugins, using prefixes like “strapi-plugin-*” to make them appear trustworthy.
When developers installed these packages, they didn’t know they were installing harmful code along with them. This code would automatically run during installation because of npm features like preinstall and postinstall scripts. As a result, their systems could be put at risk without them noticing anything unusual.
The harmful code in these packages was built to do several things once it got inside a system. It tried to take advantage of tools like Redis and PostgreSQL to go deeper into the system. In some cases, it could run commands from outside through weakly secured Redis or try to log into databases using stolen or exposed passwords. This gave attackers access to sensitive information like database data, environment details, and secret keys. It could also open a backdoor (called a reverse shell), often using ports like 4444, which allowed attackers to control the system remotely and stay connected to it.
The malware could also break out of Docker containers and reach the main system, which made the attack more dangerous. It looked for important files, passwords, and system details, and then installed hidden programs to stay inside the system. This meant attackers could come back even after the system was restarted. Some of the code was specially designed to target real production systems, especially those labeled “prod-strapi,” showing that the attack was planned and not random.
All 36 packages were uploaded in a short time using fake or new accounts, which shows this was a planned and coordinated attack, not just one person. The attackers also changed their methods over time. In the beginning, they used more obvious techniques like attacking Redis, but later they switched to quieter methods like stealing passwords and accessing databases, which are harder to detect.
There was also another package called “express-session-js” linked to this campaign. It was a typosquatting attack, meaning it was made to look like a real and trusted library so developers would install it by mistake. This package installed a remote access tool that allowed attackers to control systems and connect to their own servers in real time.
The malicious packages have now been removed from npm, but the full impact is still unknown. We don’t yet know how many systems were affected, which is worrying because npm packages are used so widely by developers.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn, Youtube and Instagram to keep the spark alive.
