More than 700 legitimate websites were hijacked to trick visitors into infecting their own computers.

WHAT’S HAPPENING

Cybercriminals are exploiting a critical vulnerability in the Ghost Content Management System (CMS) to compromise hundreds of legitimate websites and transform them into malware delivery platforms.

The attacks abuse a flaw known as CVE-2026-26980, allowing attackers to steal administrative API keys without needing login credentials. Once inside, they inject malicious code that displays fake Cloudflare or CAPTCHA verification prompts to unsuspecting visitors.

Instead of simply checking a box, users are instructed to open Windows Run or PowerShell and paste commands onto their own computers—unknowingly installing malware themselves.

Security researchers estimate that more than 700 trusted websites, including sites connected to universities and technology organizations, were affected.

WHY IT MATTERS

This attack represents a dangerous evolution in cybercrime.

People are taught to trust familiar websites. But when legitimate sites become compromised, traditional warning signs disappear.

Rather than exploiting software vulnerabilities directly on victims’ computers, attackers increasingly rely on social engineering—convincing users to perform the final step themselves.

The biggest vulnerability may no longer be technology. It may be human trust.

WHO BENEFITS

• Cybercriminals benefit by leveraging the credibility of trusted websites to increase infection rates.
• Malware operators gain access to victims’ devices without needing sophisticated exploits.
• Security vendors and threat intelligence firms benefit as organizations seek stronger protection and monitoring tools.
• Organizations that prioritize rapid patching strengthen customer trust by reducing exposure to similar attacks.

WHO LOSES

• Visitors to compromised websites risk installing malware by following deceptive instructions.
• Website owners running outdated Ghost installations face reputational damage and potential legal consequences.
• Universities, businesses, and nonprofits using affected sites may unknowingly become distribution channels for cybercrime.
• Public trust in the internet erodes when legitimate websites can no longer be assumed safe.

WHAT HAPPENS NEXT

Expect ClickFix attacks to spread beyond Ghost-powered websites.

As users become better at recognizing suspicious links and phishing emails, attackers are shifting tactics toward exploiting trusted environments and manipulating human behavior.

Organizations running Ghost should immediately update to patched versions and review their websites for unauthorized changes.

For consumers, one rule may become increasingly important:

No legitimate website should ever ask you to open PowerShell, paste commands into Windows Run, or execute code to prove you’re human.

If a website asks you to do that, close the page immediately. It isn’t verification—it’s an attack.