www-data user making curl or wget requests to external IPs.
Finally, the attacker issues a command:
In Pico 3.0.0-alpha.2, the ContentHandler::loadPage() method attempted to resolve a requested page to a .md file. The simplified vulnerable logic looked like this: Pico 3.0.0-alpha.2 Exploit