"The eight payloads show a clear narrative: the attacker started aggressive (Redis RCE, Docker escape), found those approaches weren't working, pivoted to reconnaissance and data collection, used hardcoded credentials for direct database access, and finally settled on persistent access with targeted credential theft."
"One of the payloads exploits Redis instances to inject crontab entries, deploy PHP webshells and Node.js reverse shells, inject SSH keys, and exfiltrate a Guardarian API module."
A supply chain attack has compromised the Strapi ecosystem with 36 malicious NPM packages. These packages, published across four accounts, deliver payloads capable of executing Redis code, escaping Docker containers, harvesting credentials, and deploying reverse shells. The attack specifically targets the cryptocurrency payment gateway Guardarian, utilizing probing of associated databases and specific wallet files. The campaign demonstrates a progression from aggressive tactics to reconnaissance and credential theft, indicating a tailored approach for Strapi users through specific naming schemes and configuration paths.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]