#ethicalhacking #cybersecurity #infosec #ghostcms #sqlinjection #clickfix #cve #malware #websecurity #threatintelligence | Jolanda de Koff

A SQL injection vulnerability in Ghost CMS has turned Harvard University, Oxford University, and DuckDuckGo into malware distribution platforms. Visitors arrive at a page they trust completely, a fake Cloudflare verification prompt appears, and their machine gets infected if they follow the instructions. More than 700 sites. Software that had never had an unauthenticated critical vulnerability in its entire history When Anthropic released Opus 4.6, they had Nicholas Carlini point Claude at a set of open-source projects to see what it would turn up. He picked Ghost because it had never had an unauthenticated critical vulnerability in its history. Ninety minutes later, Claude had found a blind SQL injection in Ghost's Content API and pulled the admin API key straight out of the database. Anthropic told Ghost on February 16. Three days later, on February 19, the patch was out. In March, he stood on stage at the [un]prompted conference in San Francisco and showed the room what Claude had just done. He described what he had witnessed as terrifying The vulnerability is CVE-2026-26980, rated CVSS 9.4 Critical The compilation timestamp on the DLL file found inside the attack campaign is February 16, 2026. That is the day Ghost published their security advisory to GitHub, three days before the public CVE disclosure on February 19 This was not a targeted attack. It was a fully automated pipeline scanning every unpatched Ghost site on the internet, pulling the admin key automatically, rewriting every article on every compromised site, and delivering whatever payload the attacker wanted. At least two separate attack groups were running this campaign simultaneously By May 17, XLab had confirmed more than 700 compromised domains → Personal blogs and independent sites: 368 (48.1%) → Software development, SaaS, and tech blogs: 113 (14.8%) → AI and machine learning sites: 35 (4.6%) → Education and academia: 21 (2.7%) → Security and cybersecurity research sites: 11 (1.4%) Indicators of compromise: → C2 domain, first wave: clo4shara[.]xyz → C2 domain, second wave: com-apps[.]cc → Final payload C2: web-telegram[.]ug → installer.dll hash, first wave: MD5 5659292833ec421da11ebde005d9c9a8 If you run a self-hosted Ghost site: → Update to Ghost 6.19.1 or later right now → Rotate all Admin API keys after updating, even if the site looks completely clean → Check article content at the database level, not through the Ghost editor interface → Ghost Pro users are not affected. Ghost manages updates on that platform Every one of those techniques is covered in my ethical hacking course: → https://lnkd.in/ebs6AY7K Research & writing: Jolanda de Koff Sharing is fine. Copying without credit is not Full breakdown → https://lnkd.in/e3nVqpQA #EthicalHacking #CyberSecurity #InfoSec #GhostCMS #SQLInjection #ClickFix #CVE #Malware #WebSecurity #ThreatIntelligence