{“lastseen”:”2026-05-26T12:05:07″,”description”:”Attackers are abusing a critical Ghost Content Management System (CMS) vulnerability to hijack more than 700 legitimate websites and inject a fake Cloudflare verification step that tricks visitors into running a Windows command that installs malware.\\n\\nThese social engineering campaigns\u2014where website visitors are tricked into running malicious commands on their systems\u2014are commonly known as \u201cClickFix\u201d attacks. In this case, cybercriminals turned websites belonging to trusted organizations, including universities and tech companies, into delivery platforms for the malware campaign.\\n\\nMore than 700 Ghost\u2011powered websites were compromised through a known SQL injection vulnerability tracked as CVE\u20112026\u201126980. The attackers used this bug to steal administrative API keys and silently inject malicious JavaScript into posts and pages across affected sites.\\n\\nResearchers found that the injected script loads a second\u2011stage ClickFix flow, presenting visitors with a fake Cloudflare or CAPTCHA verification dialog.\\n\\nExample of fake Cloudflare verification\\n\\nInstead of a normal checkbox, the page instructs users to copy\u2011paste a command into the Windows Run dialog or PowerShell, effectively tricking them into installing malware on their own systems.\\n\\n## Details for website managers\\n\\nAt the heart of this campaign is a critical SQL injection bug in Ghost\u2019s Content API. The researchers noted:\\n\\n\\u003e \u201cWithout any authentication, an attacker can directly read the database contents through this vulnerability, including the Admin API Key used to call the Ghost Admin API.\u201d\\n\\nThe vulnerability affects Ghost versions 3.24.0 through 6.19.0 and can be exploited without logging in.\\n\\nA patched version is now available and should be installed as soon as possible. Not just because of the ClickFix campaign; once attackers steal an Admin API key, they can edit, delete, or create posts, inject scripts, hijack themes, and tamper with user\u2011facing content in other ways.\\n\\n## How to stay safe\\n\\nThis campaign is likely to be particularly effective because the instructions are framed as harmless technical steps such as \\”verify you\u2019re human,\\” \\”fix your connection,\\” or \\”continue to the site.\\” Worse still, the content appears on websites users already trust.\\n\\nWith ClickFix running rampant\u2014and it doesn\u2019t look like it\u2019s going away anytime soon\u2014it\u2019s important to be aware, careful, and protected.\\n\\n * **Slow down.** Don\u2019t follow instructions on a webpage without thinking them through, especially if the page asks you to run commands on your device or copy-paste code. Attackers rely on urgency to bypass critical thinking, and many ClickFix pages use countdowns, fake user counters, or other pressure tactics to make you act quickly.\\n * **Avoid running commands or scripts from untrusted sources.** Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action\u2019s purpose. If a website tells you to execute a command or perform a technical action, check official documentation or contact support before proceeding.\\n * **Be cautious when copy-pasting commands.** Attackers often disguise malicious payloads inside clipboard text. Typing commands manually instead of copy-pasting them can reduce the risk of unknowingly running hidden malicious payloads.\\n * **Secure your devices.** Use an up-to-date, real-time anti-malware solution with a web protection component.\\n * **Stay informed about evolving attack techniques.** Cybercriminals constantly adapt their methods, and awareness remains one of your best defenses, so keep reading our blog!\\n\\n\\n\\n**Pro tip:** Did you know the free Malwarebytes Browser Guard extension warns you when a website tries to copy something to your clipboard?\\n\\n* * *\\n\\n**Stop threats before they can do any harm.**\\n\\nMalwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser \u2192”,”published”:”2026-05-26T10:46:28″,”modified”:”2026-05-26T10:46:28″,”type”:”malwarebytes”,”title”:”700+ education and tech websites hijacked in huge ClickFix malware campaign”,”source”:””,”references”:””,”id”:”MALWAREBYTES:A03B15631D59E8E55D70B41B0D9085B8″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2026-26980″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:9.4,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:L”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/bugs\/2026\/05\/700-education-and-tech-websites-hijacked-in-huge-clickfix-malware-campaign”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-26T12:05:07″,”description”:”Attackers are abusing a critical Ghost Content Management System (CMS) vulnerability to hijack more than 700 legitimate websites and inject a fake Cloudflare verification step…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,131,12,115,13,7,11,5],"class_list":["post-56901","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-94","tag-exploit","tag-malwarebytes","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n