Edition: 26 May 2026 | BCG Analyst Desk

Ghost CMS SQLi (CVE-2026-26980) Is Powering a 700-Site ClickFix Factory — Three Months After the Patch Dropped

CVE-2026-26980 is an unauthenticated SQL injection in Ghost's Content API (CVSS 9.4) affecting versions 3.24.0 through 6.19.0, patched in Ghost 6.19.1 in February 2026. According to QiAnXin XLab's campaign analysis, attackers exploiting this flaw were able to read arbitrary database contents and, in the observed incidents, retrieve admin API keys — enabling full article manipulation. That capability is campaign-reported, not an inherent guarantee of the CVE's scope in every configuration. At least two distinct threat clusters are actively competing over the same victim pool, in some cases re-injecting sites within a single day after cleanup. The attack chain: stolen admin key via SQLi, poisoned published articles with a two-stage JavaScript loader, visitors redirected to a fake Cloudflare CAPTCHA that executes a Run-dialog payload; 700+ confirmed compromised domains span universities, AI/SaaS firms, fintech, and security research outlets. The operational competition between two clusters is the tell — this isn't opportunistic scanning, it's industrialized site-as-delivery-infrastructure, and the trust profiles of the victim properties are precisely what drives ClickFix conversion. The Hacker News + 2

Watch for: Pivot from ClickFix payload delivery to credential harvesting or ransomware precursor activity against the compromised organizational domains, particularly university networks with federated identity.

Sources: QiAnXin XLab blog, May 21, 2026; BleepingComputer (Bill Toulas), May 24, 2026; The Hacker News, May 25, 2026; SentinelOne disclosure, February 27, 2026.

Kali365: FBI Formally Flags a PhaaS Kit That Wins After MFA Completes

The FBI's IC3 issued a PSA on May 21 warning about Kali365, a phishing-as-a-service platform first observed in April 2026 and distributed via Telegram, which captures Microsoft 365 OAuth tokens and bypasses MFA without ever intercepting a user's credentials. Arctic Wolf and Proofpoint, per TechTimes reporting on May 24, documented hundreds of attacks in April alone across manufacturing, education, government, and healthcare in North America and Europe; Proofpoint specifically noted that the targeted organizations were MFA-enabled — though "every victim" as a universal claim is Proofpoint's characterization of the April sample set, not an independently verified universal finding. The mechanism is what matters: Kali365 runs device-code phishing — the victim successfully completes MFA on Microsoft's genuine sign-in page, and the fraud happens one step later when the issued OAuth token is harvested by the attacker. Proofpoint documented a sharp volumetric spike in device-code phishing beginning in September 2025, initially adopted by state-aligned actors before financially motivated criminals followed; Kali365 arrived in April 2026 as a more polished commodity product in that lineage, available for as little as $250 for 30 days. A password reset post-compromise does not invalidate stolen refresh tokens — that framing gap is killing incident response right now. FBI + 2

Watch for: Kali365 adoption by mid-tier ransomware affiliates seeking M365 initial access without credential stuffing noise; watch for ShinyHunters-linked M365 intrusions using device-code patterns given their recent Canvas/Instructure and 7-Eleven operations.

Sources: FBI IC3 PSA, May 21, 2026; BleepingComputer, May 25, 2026; TechTimes (citing Arctic Wolf and Proofpoint), May 24, 2026; Infosecurity Magazine, May 22, 2026.

Laravel-Lang Supply Chain: Multiple Packages, Four Repositories, Every Historical Tag, 15 Minutes

On May 22, 2026, an attacker with push access to the Laravel-Lang GitHub organization rewrote every git tag across multiple popular Composer packages within a single 15-minute window. StepSecurity confirmed exploitation across at least three repositories (laravel-lang/http-statuses, laravel-lang/actions, laravel-lang/attributes); Snyk's advisory covers four repositories and puts the backdoored version count at 700+ when historical tags are counted — Aikido's initial count of 233 versions reflects a narrower slice of the same incident. An injected helpers.php file was wired into Composer's autoload.files directive, executing automatically on every PHP request the moment the package was installed — no user interaction required. The malware exfiltrated cloud provider keys, infrastructure tokens, browser-stored passwords, cryptocurrency wallets, and developer secrets; the attack window opened at 22:32 UTC on May 22. The tag-rewrite vector is the critical issue: projects whose composer.lock pinned what appeared to be a safe version hash were silently re-exposed when tags were repointed. This is the fourth distinct supply chain campaign in eleven days in May — following TanStack (84 malicious npm packages, May 11), node-ipc (May 14), and AntV (300+ versions, May 19) — each using a different initial access vector across npm, PyPI, and now Composer. That is pattern, not noise. Stepsecurity + 2

Watch for: Downstream compromise of CI/CD pipelines that ran composer update between 22:32 UTC May 22 and Packagist remediation; prioritize pipelines with AWS, GitHub OIDC, and Kubernetes secret access.

Sources: StepSecurity blog, May 22, 2026; Snyk advisory (updated May 25, 2026); Socket Research Team, May 23, 2026; Aikido Security, May 22, 2026; BleepingComputer, May 23, 2026; The Hacker News, May 25, 2026.

Operation Saffron: Law Enforcement Has First VPN's User Records — and 506 Identified Accounts Believed They Were Anonymous

Dubbed Operation Saffron, the joint action on May 19–20 was led by French and Dutch authorities with Europol and Eurojust support, resulting in the seizure of 33 servers across 27 countries, the shutdown of primary domains (1vpns.com, 1vpns.net, 1vpns.org and associated onion sites), and the interviewing of First VPN's administrator during a house search in Ukraine. Current reporting supports 506 identified users notified that they have been flagged — a figure grounded in confirmed law enforcement disclosure; the "5,000 criminal accounts" figure cited in some secondary coverage is not verified against primary Europol or DOJ sourcing and has been removed here. First VPN was promoted exclusively on Russian-speaking cybercrime forums including Exploit[.]in and XSS[.]is; at least 25 ransomware groups, including Avaddon, used its infrastructure for network reconnaissance, intrusions, and C2. The strategic value of the takedown isn't the server seizures — it's the user records. Those 506 notified accounts believed they were operating beyond law enforcement's reach. Operation Saffron is part of a deliberate shift toward targeting the shared services that make ransomware operations viable at scale — bulletproof hosting, mixers, initial access brokers, criminal anonymization infrastructure — rather than pursuing individual affiliates who can be replaced within days. Cyber Security News + 2

Watch for: Follow-on arrests tied to identified First VPN accounts; accelerated migration of ransomware C2 to new anonymization infrastructure over the next 30–60 days as operators assess their exposure.

Sources: Europol/Eurojust press release, May 21, 2026; The Hacker News, May 21, 2026; Help Net Security (Anamarija Pogorelec), May 21, 2026; CyberSecurityNews, May 21, 2026.

Ghostwriter Is Back, Using Ukraine's Own Learning Platform Against Its Government

The Belarus-aligned threat actor Ghostwriter (UAC-0057 / UNC1151) has been running a phishing campaign against Ukrainian government organizations since spring 2026, using compromised accounts to deliver lures impersonating Prometheus, Ukraine's largest online learning platform. The attack chain: PDF attachment with embedded link → ZIP download containing a JavaScript file (OYSTERFRESH) → decoy document displayed while OYSTERBLUES is written obfuscated to the Windows Registry → OYSTERSHUCK decodes and executes the payload, collecting system information and transmitting it to C2. The choice of Prometheus as a lure warrants note: the platform hosts courses ranging from programming and public administration to military service and drone engineering. The analytical inference — that targeting a platform used for defense-adjacent training is deliberate rather than opportunistic — is plausible given Ghostwriter's established focus on Ukrainian government personnel, but is not stated in the CERT-UA advisory and should be read as analysis, not confirmed intent. Ukraine's National Security and Defense Council separately disclosed that Russia is using AI tools including ChatGPT and Google Gemini for target scouting and to generate malicious code components. The Hacker News + 2

Watch for: OYSTERSHUCK C2 infrastructure expansion and correlation with prior Ghostwriter campaigns; any Ukrainian defense-sector organizations that received Prometheus-themed emails should treat that as confirmed targeting signal.

Sources: CERT-UA advisory, May 22, 2026; The Hacker News, May 22, 2026; The Record / Recorded Future (Daryna Antoniuk), May 22, 2026; SC Media, May 22, 2026.

Showboat: PRC-Linked Linux Implant Sat Undetected Inside a Middle East Telecom Since at Least Mid-2022

Lumen Technologies' Black Lotus Labs disclosed Showboat, a modular Linux post-exploitation framework capable of spawning remote shells, transferring files, and operating as a SOCKS5 proxy — attributed to at least one and likely multiple PRC-aligned threat clusters, with C2 infrastructure geolocated to Chengdu, Sichuan. The malware sample submitted to VirusTotal in May 2025 maintained a zero-percent detection rate across all antivirus engines through April 2026. Kaspersky tracks the same artifact as EvaRAT and links it to the Calypso cluster (Bronze Medley / Red Lamassu); confirmed victims include a Middle East telecom provider and an Afghanistan-based ISP, with potential activity in Azerbaijan. The SOCKS5 proxy capability is operationally significant: the feature suggests use of compromised telecom infrastructure as routing and proxy infrastructure for subsequent attacker operations — whether that is its primary function is analytical inference, not a confirmed finding from Black Lotus Labs' report. This assessment sits within the established Salt Typhoon pattern: telecom access as persistent intelligence infrastructure, not smash-and-grab. The Hacker News + 2

Watch for: The 20 additional C2 nodes identified by Black Lotus Labs sharing metadata properties with the primary node are the active hunting surface; correlation with other PRC telecom-targeting campaigns across Central Asia and Southeast Asia.

Sources: Lumen Technologies Black Lotus Labs blog, May 21, 2026; The Hacker News (citing Danny Adamitis, Black Lotus Labs), May 21, 2026; Kaspersky (EvaRAT); TechNadu, May 22, 2026; Cybernews, May 22, 2026.

Kimwolf Botnet Admin Arrested: 23-Year-Old Ottawa Resident Ran a Million-Device DDoS-for-Hire

The US DOJ unsealed charges against Jacob Butler, 23, of Ottawa (aka "Dort"), for allegedly developing and operating the KimWolf botnet — a DDoS-for-hire service that infected over one million devices worldwide, including devices in Alaska; the complaint was filed April 10, 2026 and remained sealed pending Butler's arrest in Canada, with Butler facing up to 10 years if convicted. The action follows a March 2026 DOJ operation that disrupted C2 infrastructure across four IoT botnets simultaneously — AISURU, KimWolf, JackSkid, and Mossad — involving Canadian and German authorities alongside major tech companies. The sequence — infrastructure disruption in March, arrest in May — reflects the closing of an investigative loop that began with server seizures and ended with identity attribution. Kimwolf is not a sophisticated operation, and Butler is not a major figure in the criminal ecosystem. The significance is narrower: whether commodity criminal infrastructure operators face actual accountability, or simply displacement, is a test the 2026 law enforcement tempo is beginning to answer. Security AffairsSecurity Affairs

Watch for: Remaining Kimwolf infrastructure still operational post-arrest; reconstitution attempts under new operator handles on XSS[.]is or Exploit[.]in.

Sources: US DOJ press release, May 22, 2026; Security Affairs (Pierluigi Paganini), May 22, 2026; Digital Forensics Magazine roundup, May 22, 2026.

Verizon DBIR 2026: Patching Is Failing — and the Numbers Underneath the Headline Are Worse

Verizon's 2026 DBIR finds vulnerability exploitation has overtaken credential abuse as the leading breach vector for the first time in 19 years of the report's publication — analyzed across more than 22,000 confirmed data breaches drawn from a dataset of 31,000+ security incidents. Verizon's own report language puts exploitation at 31% of initial access versus credential abuse at 13%; those figures are sourced directly from the DBIR and supported by SecurityWeek, Industrial Cyber, and Help Net Security reporting. The number that should be getting more attention: only 26% of critical vulnerabilities in CISA's KEV catalog were fully remediated in 2025, down from 38% the prior year; median resolution time increased to 43 days from 32, while organizations faced 50% more critical vulnerabilities requiring patching compared with the prior period. Defenders are losing ground on every remediation metric simultaneously. Verizon also found that AI is compressing the vulnerability-to-exploitation window from months to hours, and that 67% of users are accessing AI services from corporate devices using non-corporate accounts. The shadow AI stat is the one going unaddressed: unmanaged AI sessions are a data exfiltration surface most security teams have no telemetry on. SecurityWeek + 2

Watch for: The KEV remediation rate as a leading structural indicator — if it continues declining through Q3, the exploitation percentage in DBIR 2027 is higher regardless of tactical defender activity.

Sources: Verizon 2026 Data Breach Investigations Report (official release); SecurityWeek, May 20, 2026; Industrial Cyber, May 20, 2026; Help Net Security, May 20, 2026.

Trellix Source Code Breach: RansomHouse Claims It; the Long-Tail Risk Is Detection Logic, Not Data

Cybersecurity firm Trellix — formed from the 2021 merger of McAfee Enterprise and FireEye — disclosed in early May 2026 that attackers gained access to "a portion" of its source code repository; the company engaged forensic experts and notified law enforcement. On or around May 8, the RansomHouse group claimed responsibility, listing Trellix on its data leak site; when contacted, Trellix said it was "aware of claims of responsibility and looking into it," without confirming a connection. Trellix maintains no evidence of exploitation or distribution pipeline compromise, and the customer endpoint count cited in earlier reporting should be treated as unverified until sourced to an official Trellix disclosure. The material risk here is analytical, not confirmed: source code access for an endpoint security and XDR vendor reveals detection architecture and control placement — giving adversaries a structural map for evasion before any CVE is published. That is an inferred risk profile based on the nature of the asset compromised, not a confirmed finding from Trellix's investigation, which remains ongoing. Bleeping ComputerThe Hacker News

Watch for: RansomHouse publishing code samples or naming specific product lines; novel evasion patterns appearing in commodity malware that correlate with Trellix detection logic.

Sources: Trellix official statement, May 2, 2026; BleepingComputer, May 4, 2026; SecurityWeek / Dark Reading (Rob Wright), May 5, 2026; The Hacker News, May 8, 2026; UpGuard, May 5, 2026.

The Broader Pattern: May 2026 Looks Like a Sustained Campaign Against Developer Trust Infrastructure

Pull back from individual items and read the month as a dataset. Four distinct package ecosystem attacks across eleven days — TanStack (84 malicious npm packages via stolen OIDC token, May 11), node-ipc (May 14), AntV (300+ versions in 22 minutes, May 19), Laravel-Lang (four repositories, every historical tag rewritten, May 22) — each using a different initial access vector across npm, PyPI, and Composer. The Ghost CMS campaign weaponizing a three-month-old unpatched SQLi to poison 700 high-trust publishing properties. Megalodon targeting 5,561 GitHub repositories via malicious CI/CD workflows. The framing of "coordinated assault" here is rhetorical, not a confirmed attribution finding: there is no public evidence linking these campaigns to a single actor or directing entity. What the public record does support — and what warrants treatment as an analytical conclusion rather than coincidence — is adversarial convergence on the same target layer: software integrity infrastructure, including signing, tagging, advisory systems, and CI/CD automation. Each campaign in this window attacked a different node in the same trust chain. Whether that reflects coordination, shared tooling, or independent actors recognizing the same high-value surface is an open question. The defensive implication is the same regardless.

Watch for: Further package registry incidents in the next 72 hours, particularly PyPI and Packagist; escalation from credential theft to persistent backdoor deployment in affected developer pipelines.

Sources: StepSecurity blog, May 22, 2026; Socket Research Team, May 23, 2026; Aikido Security, May 22, 2026; The Hacker News (Megalodon), May 22, 2026; gblock.app analysis, May 24, 2026.

Jonathan Brown is a cybersecurity researcher and investigative journalist at bordercybergroup.com.

If you would like to support our work, providing useful, well researched and detailed evaluations of current cybersecurity topics at no cost, buy us a coffee! https://bordercybergroup.com/#/portal/support