TL;DR
Ghost CMS critical SQL injection is actively exploited across 700+ websites; Microsoft 365 phishing service Kali365 bypasses MFA; supply-chain attacks across npm, PyPI, and Crates.io inject credential stealers. Patch Ghost immediately, enforce MFA, and audit developer dependencies.
Executive Summary
- Ghost CMS vulnerability CVE-2026-26980 (CVSS 9.4) is being actively exploited to hijack 700+ websites, including major universities, for ClickFix malware injection [2, 8, 21].
- FBI warns of Kali365, a phishing-as-a-service platform abusing OAuth device code authentication to steal Microsoft 365 session tokens and bypass multi-factor authentication [7, 17].
- Cross-ecosystem supply-chain attacks (TrapDoor, Laravel Lang poisoning) distribute credential-stealing malware across npm, PyPI, Crates.io, and Composer package managers [5, 9, 25].
- Lazarus Group operationalizes RemotePE, a cross-platform memory-only RAT, against financial and cryptocurrency organizations [4].
- CISA contractor leaked AWS GovCloud credentials and internal agency secrets on public GitHub; Canadian authorities arrested alleged Kimwolf botmaster [11, 12, 13, 14].
Top Threats Today
1. Ghost CMS SQL Injection – Active ClickFix Campaign
Severity: HIGH Affected: Technology, Education
A critical SQL injection vulnerability (CVE-2026-26980, CVSS 9.4) in Ghost CMS is being actively exploited to inject malicious JavaScript code that triggers ClickFix attack flows [1][2]. Over 700 websites have been compromised [1][2][3], including major universities such as Harvard and Oxford, as well as DuckDuckGo [3]. The campaign leverages SQL injection to deliver JavaScript payloads designed to initiate ClickFix social engineering chains, a technique commonly used to redirect users to phishing pages or malware downloads [1][2].
Sources:[1] The Hacker News[2] BleepingComputer[3] SecurityWeek
Recommended Action
- Immediately patch Ghost CMS to the latest available version addressing CVE-2026-26980.
- Scan all Ghost CMS instances for injected malicious JavaScript in templates and database records.
- Review access logs for SQL injection attempts and unauthorized database modifications.
- Notify website visitors of potential ClickFix exposure and recommend password resets.
2. Kali365 Phishing-as-a-Service – Microsoft 365 MFA Bypass
Severity: HIGH Affected: Government, Finance, Technology
The FBI has issued a warning about Kali365, a Telegram-based phishing-as-a-service (PhaaS) platform that targets Microsoft 365 accounts [1][2]. Kali365 abuses OAuth device code authentication to steal session tokens and bypass multi-factor authentication (MFA) [1][2], enabling widespread unauthorized access to enterprise environments. The service has been used in attacks documented in April 2026 [2] and represents an accessible threat to organizations of any size.
Sources:[1] BleepingComputer[2] The Record
Recommended Action
- Enforce Conditional Access policies in Microsoft 365 to restrict OAuth device code flows or require additional verification.
- Deploy phishing-resistant authentication (FIDO2 hardware keys) for high-risk accounts.
- Monitor Azure AD sign-in logs for anomalous OAuth token grants and device code flows.
- Conduct user awareness training on OAuth phishing and social engineering tactics.
- Revoke any suspicious sessions and reset credentials for affected accounts.
3. Cross-Ecosystem Supply-Chain Malware – TrapDoor & Laravel Lang
Severity: HIGH Affected: Technology
Multiple coordinated supply-chain attacks are distributing credential-stealing malware through developer package managers. The TrapDoor campaign spans more than 34 malicious packages across over 384 versions across npm, PyPI, and Crates.io [1], with earliest activity recorded on May 22, 2026 [1]. Simultaneously, attackers have hijacked Laravel Lang localization packages on GitHub, abusing version tags to distribute malicious Composer packages; the attack was published within a 15-minute window and introduced backdoors to exfiltrate CI secrets [2][3]. Both attacks target the developer supply chain and compromise build and deployment environments.
Sources:[1] The Hacker News[2] BleepingComputer[3] SecurityWeek
Recommended Action
- Audit all npm, PyPI, and Crates.io dependencies for presence of malicious versions (particularly packages updated near May 22, 2026).
- Review all Laravel Lang package versions in use and confirm against official GitHub releases.
- Regenerate CI/CD credentials and secrets that may have been exfiltrated; rotate all API keys and tokens.
- Implement package integrity verification and signed commits in dependency management workflows.
- Monitor package repository activity for unauthorized tag creation or version bumps.
4. Lazarus RemotePE RAT – Financial & Crypto Targeting
Severity: HIGH Affected: Finance
The North Korea-linked Lazarus Group is actively deploying RemotePE, a cross-platform memory-only remote access trojan (RAT), in attacks against financial and cryptocurrency organizations [1]. RemotePE is part of a multi-stage attack chain, per NCC Group subsidiary Fox-IT [1], and its in-memory execution technique makes detection more difficult for endpoint security tools that rely on disk-based signatures.
Sources:[1] The Hacker News
Recommended Action
- Deploy behavioral endpoint detection and response (EDR) tools capable of detecting in-memory malware execution.
- Implement network segmentation to isolate financial and crypto infrastructure from general corporate systems.
- Monitor for suspicious process injection, remote thread creation, and memory-only persistence techniques.
- Conduct incident response tabletop exercises targeting APT-attributed threats.
5. CISA Contractor Leak & Kimwolf Botnet Disruption
Severity: HIGH Affected: Government, Technology
Until this past weekend, a CISA contractor maintained a public GitHub repository that exposed credentials to highly privileged AWS GovCloud accounts and internal CISA systems [2][4]. The leak was discovered and remediated recently, and lawmakers in both houses of Congress are demanding answers [2]. Separately, Canadian and U.S. authorities arrested a 23-year-old Ottawa man suspected of building and operating Kimwolf, a fast-spreading Internet-of-Things botnet that enslaved millions of devices for use in massive distributed denial-of-service (DDoS) attacks over the past six months [1][3]. The arrest of the alleged botmaster, referred to as “Dort” [3], represents a significant disruption to DDoS-for-hire infrastructure .
Sources:[1] Krebs on Security[2] Krebs on Security[3] Krebs on Security[4] Krebs on Security
Recommended Action
- If you operate systems in AWS GovCloud or interact with CISA services, immediately rotate all AWS access keys and audit IAM permissions.
- Review GitHub repositories for unintended exposure of credentials, API keys, or secrets.
- Monitor DDoS attack logs for indicators of Kimwolf activity and verify botnet mitigation.
- Implement network monitoring to detect and block outbound connections to known DDoS command-and-control infrastructure.
Today’s Action Checklist
- ☐ URGENT: Patch Ghost CMS instances to address CVE-2026-26980; scan for injected malicious JavaScript.
- ☐ URGENT: Review Microsoft 365 OAuth device code flows and enforce Conditional Access restrictions against Kali365-style attacks.
- ☐ HIGH: Audit npm, PyPI, Crates.io, and Composer package dependencies for malicious versions associated with TrapDoor and Laravel Lang attacks.
- ☐ HIGH: Regenerate CI/CD credentials and API keys that may have been exposed through supply-chain compromises.
- ☐ HIGH: If you use AWS GovCloud or interact with CISA systems, rotate all credentials immediately.
- ☐ MEDIUM: Deploy or update EDR tooling to detect in-memory malware and APT tradecraft.