VDB
GCVE-110-OSM-2026-1262
GCVE-110-OSM-2026-1262
Advisory PublishedCVSS 9.6/10
Exfiltrates internal network configuration during npm postinstall to attacker C2 at 144.31.107.231:9999 — specifically targeting Cloudflare origin IP discovery by dumping active TCP connections, /etc/resolv.conf, /etc/hosts, and internal DNS resolutions of Guardarian payment service subdomains. Attacker comment explicitly states 'Payment services go through Cloudflare. But we're inside the network.'
postinstall.js runs ss -tnp/netstat -tnp to dump all connections, reads /etc/resolv.conf and /etc/hosts, then resolves a list of Guardarian internal subdomains from inside the victim's network. All results POSTed to 144.31.107.231:9999/exfil/nr-* in 50KB chunks. Same C2 and sandbox evasion as nordica-sync, nordica-vhost, and nordica-stage.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | strapi-plugin-nordica-recon | 3.6.8 (affected) | — |
Browse GCVE Records
73,442 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.