Threat actors are exploiting a recently disclosed critical security flaw in Ghost CMS to inject malicious JavaScript code with an aim to fuel ClickFix attacks.
According to QiAnXin XLab, the activity involves the exploitation of CVE-2026-26980 (CVSS score: 9.4), an SQL injection vulnerability in Ghost’s Content API that could allow an unauthenticated attacker to read arbitrary data from the database. The security flaw was addressed in February 2026 in version 6.19.1. The vulnerability was discovered by Anthropic using Claude.
What makes the vulnerability severe is that it allows an attacker to gain access to a site’s admin API key without permission, granting them the ability to poison the site by injecting malicious code. The admin API key can be used to invoke the admin API and can directly modify articles published on the content management system.
The threat actor leveraged the security flaw to “obtain the target site’s Admin API Key without authorization, and then used the Ghost Admin API to tamper with articles in bulk, injecting malicious JavaScript loaders at the bottom of the pages to assist fake CAPTCHA attacks,” XLab said.
The activity has been described by the Chinese security vendor as a “large-scale poisoning” campaign weaponizing the Ghost CMS flaw. At least two different threat clusters are assessed to be behind the campaign, in some cases implanting certain sites with malicious code within a single day. It was first detected on May 7, 2026.
In all, the campaign has compromised more than 700 websites, spanning universities, blockchain, artificial intelligence, software-as-a-service (SaaS), security research, media, and financial technology sectors. The fact legitimate websites have been breached could further increase the success rate of the ClickFix attacks, XLab said.
The injected JavaScript code at the bottom of an article functions as a two-stage loader that’s responsible for retrieving the main payload at runtime from an external domain (“clo4shara[.]xyz/11z77u3.php”). This architecture offers added flexibility as it enables the threat actor to swap out the payloads based on different criteria, while keeping the loader functionality intact across several compromised sites.
“Directly accessing clo4shara[.]xyz/11z77u3.php reveals a piece of code, which is actually a typical traffic distribution script,” XLab explained. “Its core function is to collect various fingerprint information from the user’s browser and upload it to the server, then perform actions such as redirection, popups, and downloads based on the returned instructions.” The PHP script is powered by Adspect, a commercial cloaking service.
The idea behind using the cloaking script is to ensure that only real victims are served the actual payload, while security scanners and crawlers will only see a benign web page. The script also supports 19 different commands to run arbitrary JavaScript code and facilitate remote control of the victim’s browser.
Site visitors deemed as the intended targets are ultimately served a fake CAPTCHA verification page within an iframe HTML element to prove they are human. This, in turn, triggers a ClickFix attack, as part of which they are instructed to copy and paste a Base64-encoded command into the Windows Run dialog.
The command serves as a dropper for delivering a ZIP archive and extracts from it a Windows batch script and runs it. The script, for its part, executes a PowerShell command to download a DLL file from a remote domain, launch it using “rundll32.exe,” and open a bogus web page to the user as a distraction.
Subsequent iterations of the malware have been found to replace the DLL with a JavaScript payload. Regardless of the type of the payload, the end goal of the attack is to drop a Windows executable. In the case of the DLL, the executable is a PuTTY client with a valid code-signing certificate. The binary distributed via JavaScript is an Inno Setup installer for an Electron application.
The application is a modified version of the open-source Grape desktop client that’s designed to achieve persistence and poll a remote server (“web-telegram[.]ug”) every 30 seconds to process instructions issued by the attacker, including running JavaScript code or executable files.
Ghost CMS users are advised to upgrade their instances to the latest version, rotate all credentials, clean up the sites, audit access logs for signs of suspicious activity, and notify users who may have visited the sites during the contamination period for potential compromise.
