Overview
- Researchers say the campaign began surfacing in early May and has compromised over 700 unpatched Ghost-powered domains by exploiting CVE-2026-26980, an SQL injection in Ghost’s Content API.
- Attackers used the flaw to read databases and steal Admin API keys, then used those keys to inject malicious JavaScript into published articles that load a two-stage attack chain.
- The injected loader fetches a cloaking and traffic-distribution script that fingerprints visitors and shows a fake CAPTCHA or ClickFix prompt that instructs Windows users to paste a command that downloads malware.
- Observed payloads include DLL loaders, JavaScript droppers, and an Electron installer named UtilifySetup.exe, and investigators have seen at least two competing attacker clusters that re-infect or swap payloads.
- QiAnXin XLab and others advise immediate upgrades to Ghost 6.19.1 or later, rotation of exposed Admin API keys, removal of injected scripts from site databases, a 30-day audit of Admin API logs, and notification of visitors who may have been exposed.