VDB

GCVE-110-OSM-2026-1262

GCVE-110-OSM-2026-1262
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 1, 2026
Exfiltrates internal network configuration during npm postinstall to attacker C2 at 144.31.107.231:9999 — specifically targeting Cloudflare origin IP discovery by dumping active TCP connections, /etc/resolv.conf, /etc/hosts, and internal DNS resolutions of Guardarian payment service subdomains. Attacker comment explicitly states 'Payment services go through Cloudflare. But we're inside the network.' postinstall.js runs ss -tnp/netstat -tnp to dump all connections, reads /etc/resolv.conf and /etc/hosts, then resolves a list of Guardarian internal subdomains from inside the victim's network. All results POSTed to 144.31.107.231:9999/exfil/nr-* in 50KB chunks. Same C2 and sandbox evasion as nordica-sync, nordica-vhost, and nordica-stage.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownstrapi-plugin-nordica-recon3.6.8 (affected)

Browse GCVE Records

73,442 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›