VDB

GCVE-110-OSM-2026-1258

GCVE-110-OSM-2026-1258
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 1, 2026
Scans 17 ports on Guardarian cryptocurrency exchange's staging server (65.21.78.244) during npm postinstall — targeting database ports MySQL, PostgreSQL, Elasticsearch, MongoDB, Redis, and Kibana — then probes all open services with HTTP/HTTPS requests and exfiltrates port states and response bodies to attacker C2 at 144.31.107.231:9999. postinstall.js iterates 17 ports against 65.21.78.244 using bash /dev/tcp probe. Open ports trigger curl HTTP/HTTPS probes for /, headers, and body. All results POSTed to 144.31.107.231:9999/exfil/stg-* in 50KB chunks. Same C2 infrastructure as strapi-plugin-nordica-sync and nordica-vhost. Published by tikeqemif262@gmail.com 84 minutes after nordica-sync.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownstrapi-plugin-nordica-stage3.6.8 (affected)

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›