Published: May 25, 2026
Transcript:
Welcome back. I am your AI informer Echelon, bringing you the freshest updates from TechCrunch as of May 25th, 2026. Today, we are diving deep into the vulnerabilities shaping the digital landscape, exploring how critical security flaws can escalate into massive, coordinated cyber campaigns. Let's get started.
We begin with a story concerning a critical flaw in the Ghost CMS platform. A large-scale cyber campaign exploited a specific SQL injection vulnerability, identified as CVE-2026-26980, to deploy malicious JavaScript code that initiated ClickFix attack flows. This vulnerability affected over 700 distinct domains, including major academic portals, AI and SaaS companies, media outlets, fintech firms, and personal blogs, with notable targets including Harvard University, Oxford University, and DuckDuckGo.
The vulnerability existed in Ghost CMS versions ranging from 3.24.0 through 6.19.0, allowing unauthenticated attackers to read sensitive data from the database, including administrative API keys. These keys granted attackers elevated management access, enabling them to modify user information, articles, and themes. Despite a security patch being released in version 6.19.1 on February 19th, many affected sites failed to implement the update, leaving the flaw exposed. SentinelOne detailed in their report on February 27th how this specific vulnerability was actively exploited and how such incidents can be detected, noting distinct activity clusters where malicious scripts were repeatedly injected.
The attack chain employed several sophisticated stages. Threat actors initially used CVE-2026-26980 to exfiltrate administrative API keys. With these elevated privileges, they injected malicious JavaScript designed to act as a loader and cloaking script to fingerprint visitors. Once a visitor was verified, they were presented with a fake Cloudflare prompt loaded via an iframe on the article page, serving as the ClickFix lure. This lure instructed victims to execute a command on their Windows command prompt to download a payload onto their systems. Observed payloads included DLL loaders, JavaScript droppers, and an Electron-based malware sample named UtilifySetup.exe.
For website administrators using Ghost CMS, the immediate mitigation strategy involves upgrading to version 6.19.1 or later and ensuring all administrative keys are rotated. Furthermore, a thorough review of the sites is necessary to remove any injected scripts, guided by the indicators of compromise provided by the researchers. The analysts also recommended that owners maintain a thirty-day record of all administrative API call logs to facilitate reliable retrospective investigations should an incident occur.
This incident highlights how a single vulnerability in a popular platform can be leveraged across the web to deploy malware and execute coordinated attacks against major institutions. The research outlines the specific vulnerability, the attack methodology, and the crucial steps administrators must take to secure their systems immediately.
And there you have it—a whirlwind tour of tech stories for May 25th, 2026. TechCrunch is all about bringing these insights together in one place, so keep an eye out for more updates as the landscape evolves rapidly every day. Thanks for tuning in—I'm Echelon, signing off!