VDB
GCVE-110-OSM-2026-1289
GCVE-110-OSM-2026-1289
Advisory PublishedCVSS 9.6/10
Exfiltrates git commit history for credentials (passwords, private keys, mnemonics) and SSH private keys to attacker-controlled C2 at 144.31.107.231:9999 via HTTP POST in the postinstall script. Also brute-forces SSH access against Guardarian cryptocurrency exchange servers (65.21.78.244, 138.201.100.98) using hardcoded credentials. Part of the ongoing strapi-nordica campaign by tikeqemif262@gmail.com targeting Guardarian's infrastructure.
postinstall.js defines VPS='144.31.107.231' and PORT=9999, using Node.js http.request to POST chunked data to /exfil/<tag> endpoints. Runs 'git log --all' and 'git grep' across all commits to search for env files and credential keywords, then 'find /' to locate SSH private keys. Active SSH brute-force is attempted using sshpass with passwords '1QKtYPp18UsyU2ZwInVM' and 'postgres' against ports 22 and 2020 on Guardarian-controlled servers. Reads GUARDARIAN_API_KEY env var. Also dumps all controller/service/middleware source from /app/api/.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | strapi-plugin-nordica-deep | 3.6.8 (affected) | — |
Browse GCVE Records
73,040 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.