VDB
GCVE-110-OSM-2026-1258
GCVE-110-OSM-2026-1258
Advisory PublishedCVSS 9.6/10
Scans 17 ports on Guardarian cryptocurrency exchange's staging server (65.21.78.244) during npm postinstall — targeting database ports MySQL, PostgreSQL, Elasticsearch, MongoDB, Redis, and Kibana — then probes all open services with HTTP/HTTPS requests and exfiltrates port states and response bodies to attacker C2 at 144.31.107.231:9999.
postinstall.js iterates 17 ports against 65.21.78.244 using bash /dev/tcp probe. Open ports trigger curl HTTP/HTTPS probes for /, headers, and body. All results POSTed to 144.31.107.231:9999/exfil/stg-* in 50KB chunks. Same C2 infrastructure as strapi-plugin-nordica-sync and nordica-vhost. Published by tikeqemif262@gmail.com 84 minutes after nordica-sync.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | strapi-plugin-nordica-stage | 3.6.8 (affected) | — |
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.