VDB

GCVE-110-OSM-2026-1259

GCVE-110-OSM-2026-1259
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 1, 2026
Probes five Guardarian cryptocurrency exchange servers (65.21.203.244:3000, 65.21.203.246, 128.140.36.229, 128.140.36.230, 128.140.36.224) across 25+ endpoints including /wallets, /transactions, /deposits, /addresses, and /balances during npm postinstall, then exfiltrates all API responses in 50KB chunks via HTTP POST to attacker C2 at 144.31.107.231:9999. Also uses a stolen Guardarian payment API key (a78e8684-1c99-4eb4-b899-16e55d552335) to attempt authenticated Cloudflare bypass against api-payments.guardarian.com. postinstall.js hardcodes C2 at 144.31.107.231:9999 (lines 3-4). send() function (lines 5-21) uses http.request() to POST all collected data to /exfil/<tag> in 50KB chunks. Script probes 5 Guardarian servers with curl across 25+ financial and admin endpoints, then port-scans all 5 IPs across 17 ports (including 5432/PostgreSQL, 9200/Elasticsearch, 27017/MongoDB). Reuses stolen API key a78e8684-... for authenticated endpoint bypass. Sandbox evasion exits on TRANSFER cwd or MINGW uname.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownstrapi-plugin-nordica-api3.6.8 (affected)

Browse GCVE Records

72,096 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›