VDB
GCVE-110-OSM-2026-1261
GCVE-110-OSM-2026-1261
Advisory PublishedCVSS 9.6/10
Conducts targeted infrastructure reconnaissance against Guardarian cryptocurrency exchange during npm postinstall, probing 36 hardcoded staging subdomains at IP 65.21.78.244 using Host header vhost scanning and a hardcoded Guardarian API key (a78e8684-1c99-4eb4-b899-16e55d552335), then exfiltrates all non-404 API responses to attacker C2 at 144.31.107.231:9999.
postinstall.js iterates 36 Guardarian staging subdomains (payments, cards, KYC, exchange, admin), issues curl requests with spoofed Host headers against 65.21.78.244 over HTTP and HTTPS, tests /, /health, /v1/status, /api-docs, and Strapi-specific paths. Authenticated probes use x-api-key: a78e8684-1c99-4eb4-b899-16e55d552335. All responses POSTed to 144.31.107.231:9999/exfil/<tag> in 50KB chunks. Sandbox evasion exits on 'TRANSFER' cwd or Windows uname.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | strapi-plugin-nordica-vhost | 3.6.8 (affected) | — |
Browse GCVE Records
73,738 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.