VDB

GCVE-110-OSM-2026-1248

GCVE-110-OSM-2026-1248
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 1, 2026
Second package published by the same attacker (tikeqemif262@gmail.com) 51 minutes after strapi-plugin-sitemap-gen. postinstall.js is byte-for-byte functionally identical to strapi-plugin-sitemap-gen: same hardcoded C2 VPS (144.31.107.231), same PostgreSQL credentials (user_strapi / 1QKtYPp18UsyU2ZwInVM), same Docker container env var sweep, same SSH key theft, same Python3 reverse shell to port 4444, same SSH persistence tunnel. The two-package campaign broadens the attack surface by targeting developers who install Strapi 'nordica-tools' plugins alongside or instead of 'sitemap-gen' plugins. Identical postinstall.js payload to strapi-plugin-sitemap-gen. All constants, logic, and exfil paths are the same: VPS='144.31.107.231', PORT=9999, reverse shell port 4444, PG creds user_strapi/1QKtYPp18UsyU2ZwInVM, /proc/1/root container escape pattern, Docker config path enumeration, SSH key paths, .env file sweep, Hetzner metadata probe, 172.17.0.x Docker network scan. The only differences are the package name string used in the initial send('sm-start', ...) beacon and the npm package name itself.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownstrapi-plugin-nordica-tools3.6.8 (affected)

Browse GCVE Records

73,044 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›