VDB
GCVE-110-OSM-2026-1248
GCVE-110-OSM-2026-1248
Advisory PublishedCVSS 9.6/10
Second package published by the same attacker (tikeqemif262@gmail.com) 51 minutes after strapi-plugin-sitemap-gen. postinstall.js is byte-for-byte functionally identical to strapi-plugin-sitemap-gen: same hardcoded C2 VPS (144.31.107.231), same PostgreSQL credentials (user_strapi / 1QKtYPp18UsyU2ZwInVM), same Docker container env var sweep, same SSH key theft, same Python3 reverse shell to port 4444, same SSH persistence tunnel. The two-package campaign broadens the attack surface by targeting developers who install Strapi 'nordica-tools' plugins alongside or instead of 'sitemap-gen' plugins.
Identical postinstall.js payload to strapi-plugin-sitemap-gen. All constants, logic, and exfil paths are the same: VPS='144.31.107.231', PORT=9999, reverse shell port 4444, PG creds user_strapi/1QKtYPp18UsyU2ZwInVM, /proc/1/root container escape pattern, Docker config path enumeration, SSH key paths, .env file sweep, Hetzner metadata probe, 172.17.0.x Docker network scan. The only differences are the package name string used in the initial send('sm-start', ...) beacon and the npm package name itself.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | strapi-plugin-nordica-tools | 3.6.8 (affected) | — |
Browse GCVE Records
73,044 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.