Global Ghost CMS Poisoning Campaign Exploits Enterprise Blogs

Security researchers uncovered a widespread Ghost CMS poisoning campaign exploiting CVE-2026-26980 (SQL injection) to obtain Admin API keys, append malicious JavaScript to posts, and redirect visitors to a convincing FakeCaptcha flow. The attack chain uses browser fingerprinting and traffic distribution to cloak real victims, delivers a background compressed installer that executes a multi-stage Rust binary (installer.dll) and ultimately installs a trojan (UtilifySetup.exe); over 700 domains — including high-profile institutions — were reported affected. Immediate mitigation recommended includes patching Ghost instances, rotating Admin API keys, and scanning for injected scripts and unauthorized backend changes.