VDB

GCVE-110-OSM-2026-1261

GCVE-110-OSM-2026-1261
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 1, 2026
Conducts targeted infrastructure reconnaissance against Guardarian cryptocurrency exchange during npm postinstall, probing 36 hardcoded staging subdomains at IP 65.21.78.244 using Host header vhost scanning and a hardcoded Guardarian API key (a78e8684-1c99-4eb4-b899-16e55d552335), then exfiltrates all non-404 API responses to attacker C2 at 144.31.107.231:9999. postinstall.js iterates 36 Guardarian staging subdomains (payments, cards, KYC, exchange, admin), issues curl requests with spoofed Host headers against 65.21.78.244 over HTTP and HTTPS, tests /, /health, /v1/status, /api-docs, and Strapi-specific paths. Authenticated probes use x-api-key: a78e8684-1c99-4eb4-b899-16e55d552335. All responses POSTed to 144.31.107.231:9999/exfil/<tag> in 50KB chunks. Sandbox evasion exits on 'TRANSFER' cwd or Windows uname.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownstrapi-plugin-nordica-vhost3.6.8 (affected)

Browse GCVE Records

73,738 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›