Ghost CMS Mass Compromised via CVE-2026-26980, Now Fueling ClickFix Attacks

Attackers exploited CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS, to obtain Admin API Keys without authorization and conduct mass website poisoning campaigns. Over 700 domains across multiple industries including universities, blockchain, AI, security research, and media were compromised. The attack chain involves CMS takeover, page poisoning with malicious JavaScript loaders, two-stage cloaking scripts, and FakeCaptcha social engineering to trick users into executing malicious commands. Two distinct threat groups are actively exploiting unpatched Ghost CMS installations, delivering information stealers and remote access tools. Compromised sites include Harvard University, Oxford University, and Auburn University. The attacks leverage users' trust in legitimate websites to increase success rates of ClickFix-type attacks, with payloads being dynamically distributed through Cloudflare-proxied domains.

Pulse ID: 6a0f06676dfe8431915ed38a
Pulse Link: https://otx.alienvault.com/pulse/6a0f06676dfe8431915ed38a
Pulse Author: AlienVault
Created: 2026-05-21 13:19:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #CAPTCHA #Cloud #CyberSecurity #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #RAT #Rust #SQL #SocialEngineering #Vulnerability #bot #AlienVault

PureLogs: Delivery via PawsRunner Steganography

Attackers are concealing .NET infostealers within seemingly innocuous images to evade detection. A phishing campaign uses TXZ archive attachments with invoice-themed lures to initiate infection. The embedded JavaScript leverages environment variables to hide malicious commands, launching PowerShell to decode and decrypt payloads. PawsRunner, a steganography loader, extracts encrypted data from PNG images containing cat photos. This loader evolved from simple PE downloads to sophisticated steganographic extraction with fallback mechanisms. The final payload, PureLogs version 5.0.0, is a comprehensive infostealer from the Pure family that harvests credentials from browsers, cryptocurrency wallets, password managers, communication apps, and other applications. It employs extensive async/await patterns and communicates with command and control infrastructure via HTTPS using multiple endpoints to exfiltrate encrypted and compressed stolen data.

Pulse ID: 6a0f272cd9c82db936e6a249
Pulse Link: https://otx.alienvault.com/pulse/6a0f272cd9c82db936e6a249
Pulse Author: AlienVault
Created: 2026-05-21 15:39:24

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Browser #CyberSecurity #Endpoint #HTTP #HTTPS #InfoSec #InfoStealer #Java #JavaScript #NET #OTX #OpenThreatExchange #Password #Phishing #PowerShell #RAT #SMS #Steganography #Word #bot #cryptocurrency #AlienVault

Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft

Microsoft identified an active supply chain attack targeting the @antv npm package ecosystem. A threat actor compromised an @antv maintainer account and published malicious versions of widely used data-visualization packages, affecting libraries like echarts-for-react with over 1 million weekly downloads. The attack propagates through dependency chains into CI/CD pipelines and cloud workloads. A 499 KB obfuscated JavaScript payload executes silently during npm install, specifically designed to steal credentials from GitHub Actions environments. Key capabilities include multi-platform credential theft (GitHub, AWS, HashiCorp Vault, npm, Kubernetes, 1Password), GitHub Action Runner process memory scraping, privilege escalation, dual-channel data exfiltration, and SLSA provenance forgery. The payload targets CI/CD environments deliberately, with over 2,200 compromised repositories observed. GitHub responded by removing 640 malicious packages and invalidating 61,274 npm tokens.

Pulse ID: 6a0e3751a23f1487cbb26ac5
Pulse Link: https://otx.alienvault.com/pulse/6a0e3751a23f1487cbb26ac5
Pulse Author: AlienVault
Created: 2026-05-20 22:36:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Cloud #CyberSecurity #GitHub #InfoSec #Java #JavaScript #Microsoft #NPM #OTX #OpenThreatExchange #Password #RAT #SupplyChain #Word #bot #AlienVault

Uncovering a Global Android Carrier Billing Fraud Campaign

A sophisticated Android malware campaign has been identified conducting carrier billing fraud through premium SMS abuse across Malaysia, Thailand, Romania, and Croatia. The operation comprises nearly 250 malicious applications that selectively target users based on their mobile operators, silently subscribing victims to premium services without consent. The malware demonstrates advanced capabilities including precise regional targeting with hardcoded SIM operator validation, automated subscription workflows using WebView manipulation and JavaScript injection, OTP interception via abuse of Google's SMS Retriever API, and Telegram-based exfiltration of device metadata. The campaign impersonates popular applications including Facebook, Instagram, TikTok, Minecraft, and Grand Theft Auto to lure victims. Active from March 2025 through January 2026, the operation employs three distinct variants with increasing levels of sophistication, utilizing distributed command and control infrastructure and systematic refer...

Pulse ID: 6a0e37bba2c6b50f5bf38278
Pulse Link: https://otx.alienvault.com/pulse/6a0e37bba2c6b50f5bf38278
Pulse Author: AlienVault
Created: 2026-05-20 22:37:47

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #CyberSecurity #Facebook #Google #InfoSec #Instagram #Java #JavaScript #Malware #Minecraft #OTX #OpenThreatExchange #RAT #RCE #SMS #Telegram #Thailand #bot #AlienVault

Think I'm just about ready to start using this now. Will also throw it up on Codeberg at some point. Properly documented of course.

Minified, this whole engine is a single 17KB Javascript file, and approx 2KB of that is the MIT license text. 😁

The font adds an extra 8.8KB but isn't technically needed, and again that includes the MIT text.

I do plan on adding more to it yet mind. Eventually.

https://development.qweb.co.uk/qjerg-demo/

#Javascript #retro #gameDev #retroDev #retroGameDev #pixels

Fresh mischief and digital shenanigans

FrostyNeighbor, a cyberespionage group allegedly operating from Belarus and active since at least 2016, continues targeting governmental, military, and key sectors in Eastern Europe, particularly Ukraine, Poland, and Lithuania. Recent activities detected since March 2026 show the group targeting Ukrainian governmental organizations using evolved compromise chains. The attacks utilize spearphishing with malicious PDF lures impersonating legitimate entities, delivering JavaScript variants of PicassoLoader downloader. The group employs server-side victim validation based on geolocation and fingerprinting before manually delivering Cobalt Strike beacons. FrostyNeighbor demonstrates high operational maturity through diverse delivery mechanisms, exploitation of legitimate services, and regular toolset updates to evade detection, while maintaining focus on credential harvesting and establishing persistent access to compromised systems.

Pulse ID: 6a0e803c81c123ee6cf7066a
Pulse Link: https://otx.alienvault.com/pulse/6a0e803c81c123ee6cf7066a
Pulse Author: AlienVault
Created: 2026-05-21 03:47:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Belarus #CobaltStrike #CredentialHarvesting #CyberSecurity #Cyberespionage #EasternEurope #Espionage #Europe #Government #InfoSec #Java #JavaScript #Military #OTX #OpenThreatExchange #PDF #Phishing #Poland #RAT #SMS #SpearPhishing #UK #Ukr #Ukraine #Ukrainian #bot #AlienVault

WebMCP: I Made My Website AI Agent Ready

Google이 WebMCP라는 새로운 웹 표준을 개발 중이며, 이는 AI 에이전트가 웹사이트 기능을 직접 호출할 수 있게 해 기존의 스크린샷 기반 추론 방식을 대체한다. WebMCP는 브라우저 내장 API와 별도의 오픈소스 라이브러리 두 가지 형태로 존재하며, 후자는 현재 모든 브라우저에서 즉시 사용 가능하다. WebMCP를 통해 AI 에이전트는 웹사이트가 제공하는 도구를 구조화된 방식으로 인식하고 호출할 수 있어 상호작용의 신뢰성과 효율성이 크게 향상된다. 개발자는 간단한 자바스크립트 API로 도구를 등록하고, 사용자 인증 토큰을 통해 안전하게 연결할 수 있다.

https://suganthan.com/blog/webmcp-implementation-guide/

#webmcp #aiagent #chrome #mcp #javascript