Here are today’s top cybersecurity stories for Monday, May 25, 2026.
Ghost CMS CVE-2026-26980 SQL Injection Exploited Across 700+ Sites to Deliver ClickFix Malware
A large-scale campaign is exploiting a critical SQL injection vulnerability in Ghost CMS (CVE-2026-26980, CVSS 9.4) to compromise websites and inject malicious JavaScript that triggers fake Cloudflare verification pages. Researchers at Qianxin XLab confirmed more than 700 domains have been poisoned, including portals at Harvard University, Oxford University, Auburn University, and DuckDuckGo. Attackers exploit the unauthenticated flaw to extract the Admin API key, then use the Ghost Admin API to bulk-modify articles and insert ClickFix payload loaders. A patch exists in Ghost CMS version 6.19.1 released in February 2026, but many sites had not applied it. BleepingComputer
Laravel-Lang PHP Supply Chain Attack Backdoors 233 Package Versions Across 700 GitHub Repos
Attackers compromised the Laravel-Lang localization ecosystem by abusing GitHub’s version tag mechanism to distribute malicious Composer packages. Tags pointing to commits in attacker-controlled forks were published in rapid succession on May 22–23, 2026, affecting 233 versions across packages including laravel-lang/lang, laravel-lang/http-statuses, and laravel-lang/attributes. The injected payload is a 5,900-line PHP credential stealer that collects AWS, GCP, Azure, DigitalOcean, Heroku, and Vercel secrets along with browser-saved passwords from 17 Chromium browsers, encrypts results with AES-256, and exfiltrates them to a remote server before deleting itself from disk. Packagist removed the malicious versions after disclosure. BleepingComputer
Juniper Networks PTX Routers: Critical CVSS 9.8 Pre-Auth RCE CVE-2026-21902 in Junos OS Evolved
Juniper Networks patched a critical unauthenticated remote code execution vulnerability (CVE-2026-21902, CVSS 9.8) affecting Junos OS Evolved on PTX series high-performance routers. The flaw resides in the On-Box Anomaly Detection framework, which is enabled by default, and allows a network attacker without credentials to run arbitrary code with root privileges. Affected versions are Junos OS Evolved 25.4 prior to 25.4R1-S1-EVO and 25.4R2-EVO. Juniper states the vulnerability was discovered internally with no evidence of exploitation in the wild. Operators should apply fixed versions 25.4R1-S1-EVO, 25.4R2-EVO, or 26.2R1-EVO, or restrict endpoint access via firewall filters or ACLs. BleepingComputer | SecurityWeek
Underminr CDN Vulnerability Exposes 88 Million Domains to C2 Hiding — Canada Identified as High-Risk Region
Security firm ADAMnetworks disclosed a CDN infrastructure vulnerability named Underminr that allows attackers to route malicious traffic through shared CDN tenants, bypassing DNS filtering and network monitoring. Unlike traditional domain fronting, Underminr exploits native CDN multiplexing behaviour — attackers register domains on shared CDN infrastructure and present the SNI and HTTP Host of a legitimate co-tenant while directing traffic to their own resources. Approximately 88 million domains are exposed globally, with the US, Canada, and the UK identified as the regions carrying the most risk. Active exploitation has been confirmed. No CVE has been assigned; the vulnerability is architectural rather than software-specific. SecurityWeek
Lazarus Group Deploys RemotePE Memory-Only RAT Against Financial and Cryptocurrency Firms
North Korea-linked Lazarus Group is using a new memory-resident remote access trojan called RemotePE in attacks against financial and cryptocurrency organizations. RemotePE arrives via a multi-stage chain: DPAPILoader decrypts and loads RemotePELoader, which beacons to a command-and-control server and receives RemotePE as a fully in-memory payload with no filesystem artifacts. Initial compromise happens through social engineering on Telegram, where attackers impersonate employees of legitimate trading companies and direct victims to fake Calendly scheduling domains. The toolset uses environmental keying and EDR evasion designed for long-term covert access. Lazarus used earlier variants of RemotePE alongside PondRAT and ThemeForestRAT in a September 2025 DeFi sector attack. The Hacker News
Megalodon: TeamPCP Poisons 5,561 GitHub Repositories via Fake CI/CD Workflow Commits
On May 18, 2026, the threat group TeamPCP executed an automated supply chain attack injecting malicious GitHub Actions workflows into 5,561 repositories over a six-hour window. Attackers forged author identities imitating routine CI automation (build-bot, auto-ci, ci-bot, pipeline-bot) and inserted payloads that harvest AWS credentials, GCP tokens, SSH private keys, Kubernetes configurations, GitHub Actions OIDC tokens, and database connection strings from pipeline environments. Hudson Rock attributed initial access to infostealer infections, with over 33% of affected repository owners matching computers infected by infostealers. GitHub has removed the malicious commits and is notifying affected repository owners. The Hacker News | SecurityWeek
Drupal CVE-2026-9082 Hits CISA KEV as Attack Volume Surpasses 15,000 Attempts on 6,000 Sites
CISA added the Drupal core SQL injection vulnerability CVE-2026-9082 to its Known Exploited Vulnerabilities catalog on May 22, 2026, following confirmed mass active exploitation. The flaw affects PostgreSQL-backed Drupal sites across versions 8.0 through 11.3.9 and allows unauthenticated attackers to read arbitrary database contents, with potential for privilege escalation and remote code execution. Imperva recorded more than 15,000 attack attempts against nearly 6,000 individual sites across 65 countries, with gaming and financial services sites as the primary targets. Federal agencies face a June 5, 2026 remediation deadline. Patched versions: 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, and 11.3.10. The Hacker News
Ghost CMS Mass Compromise: XLab Analysis Reveals Scale of ClickFix Infrastructure
Extended analysis from Qianxin’s XLab team reveals the Ghost CMS campaign began detecting victims in May 2026, with the attack chain designed to turn compromised sites into ClickFix malware delivery platforms. Beyond injecting fake Cloudflare CAPTCHA pages, attackers are using the compromised sites as part of a broader infrastructure to distribute malware to site visitors. The campaign exploits a widely deployed open-source CMS with a long tail of unpatched installations. Organizations running self-hosted Ghost should verify they are on version 6.19.1 or later and audit recently modified posts for injected JavaScript. XLab / Qianxin
Stay tuned for today’s in-depth analysis posts.
