Postgres Copy From Program Execution Chain

Represents a complete, tightly scoped PostgreSQL exploitation chain where a client initiates a transaction, fingerprints the server version, prepares a temporary table, executes an external system command via COPY FROM PROGRAM, retrieves the command output, and immediately cleans up by dropping the table. This sequence is highly characteristic of automated post-authentication exploitation tooling that abuses PostgreSQL’s trusted language and program execution features for one-shot remote command execution, output capture, and minimal on-disk footprint. The rapid execution and cleanup indicate intent to execute payloads rather than interact with the database as a datastore.

Observed IPs

130

Avg Confidence

84%

Severity

critical

Top IPs by event countPOSTGRES

IP Address	Risk	Events	Sessions	Country	ASN	Last Seen
154.16.112.232	100%	322,340	54,085	🇺🇸 US	AS14670	2026-03-02
208.97.53.150	100%	27,926	4,227	🇺🇸 US	AS30247	2026-02-24
192.42.116.214	99%	1,714	192	🇳🇱 NL	AS215125	2026-02-24
192.42.116.213	98%	1,631	188	🇳🇱 NL	AS215125	2026-02-20
192.42.116.210	99%	1,518	177	🇳🇱 NL	AS215125	2026-02-19
192.42.116.208	99%	1,327	155	🇳🇱 NL	AS215125	2026-02-22
192.42.116.211	99%	1,284	152	🇳🇱 NL	AS215125	2026-02-23
192.42.116.178	99%	1,242	136	🇳🇱 NL	AS215125	2026-02-18
192.42.116.179	98%	1,206	142	🇳🇱 NL	AS215125	2026-02-24
192.42.116.216	99%	1,191	147	🇳🇱 NL	AS215125	2026-02-22
192.42.116.212	98%	1,185	127	🇳🇱 NL	AS215125	2026-02-22
192.42.116.209	98%	1,165	135	🇳🇱 NL	AS215125	2026-02-20
192.42.116.217	96%	1,118	124	🇳🇱 NL	AS215125	2026-02-20
192.42.116.218	97%	1,066	117	🇳🇱 NL	AS215125	2026-02-18
45.84.107.55	97%	933	150	🇸🇪 SE	AS214503	2026-03-02
45.84.107.128	95%	923	129	🇸🇪 SE	AS214503	2026-03-02
192.42.116.215	98%	919	107	🇳🇱 NL	AS215125	2026-02-21
45.84.107.174	98%	911	158	🇸🇪 SE	AS214503	2026-03-01
45.84.107.74	99%	861	113	🇸🇪 SE	AS214503	2026-03-02
45.84.107.76	98%	808	101	🇸🇪 SE	AS214503	2026-03-01