Harvard, DuckDuckGo Among 700 Blogs Pushing ClickFix Attacks

Hundreds of Ghost-CMS-powered blogs — including those of Harvard, Oxford, Auburn, and DuckDuckGo — are pushing ClickFix attacks at their visitors via a fake Cloudflare CAPTCHA injected into article pages. The chain ends with the visitor pasting a malicious command into Windows Run.

The bug is a SQL injection in Ghost CMS, tracked as CVE-2026-26980, affecting versions 3.24.0 through 6.19.0. Ghost shipped a patch on February 19, 2026 in 6.19.1. Three months later, attackers are still finding unpatched sites. XLab (Qianxin) discovered the campaign with supporting analysis from SentinelOne, disclosed via BleepingComputer on May 24, 2026. Over 700 domains compromised so far. The attack chain: SQL injection → steal admin API key → inject malicious JavaScript into article pages → fingerprint each visitor → serve fake Cloudflare CAPTCHA to qualifying Windows users → ClickFix paste-into-Run flow → multiple payloads including an Electron-based malware sample called UtilifySetup. For site owners: install 6.19.1 or later and rotate API keys. For site visitors: nothing legitimate ever asks you to paste a command into Windows Run.

Sources:
https://www.bleepingcomputer.com/news/security/ghost-cms-sql-injection-flaw-exploited-in-large-scale-clickfix-campaign/

More on cybersecurity, privacy, scams, and homelab on Hake Hardware. New shorts every weekday.

#cybersecurity #clickfix #ghostcms #sqlinjection #infosec

Видео Harvard, DuckDuckGo Among 700 Blogs Pushing ClickFix Attacks канала Hake Hardware