VDB
GCVE-110-OSM-2026-1259
GCVE-110-OSM-2026-1259
Advisory PublishedCVSS 9.6/10
Probes five Guardarian cryptocurrency exchange servers (65.21.203.244:3000, 65.21.203.246, 128.140.36.229, 128.140.36.230, 128.140.36.224) across 25+ endpoints including /wallets, /transactions, /deposits, /addresses, and /balances during npm postinstall, then exfiltrates all API responses in 50KB chunks via HTTP POST to attacker C2 at 144.31.107.231:9999. Also uses a stolen Guardarian payment API key (a78e8684-1c99-4eb4-b899-16e55d552335) to attempt authenticated Cloudflare bypass against api-payments.guardarian.com.
postinstall.js hardcodes C2 at 144.31.107.231:9999 (lines 3-4). send() function (lines 5-21) uses http.request() to POST all collected data to /exfil/<tag> in 50KB chunks. Script probes 5 Guardarian servers with curl across 25+ financial and admin endpoints, then port-scans all 5 IPs across 17 ports (including 5432/PostgreSQL, 9200/Elasticsearch, 27017/MongoDB). Reuses stolen API key a78e8684-... for authenticated endpoint bypass. Sandbox evasion exits on TRANSFER cwd or MINGW uname.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | strapi-plugin-nordica-api | 3.6.8 (affected) | — |
Browse GCVE Records
72,096 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.