VulnHub

A significant security vulnerability has been identified in Ghost CMS, specifically a SQL injection flaw labeled CVE-2026-26980. Attackers are exploiting this weakness to inject harmful JavaScript code, which activates ClickFix attack flows across numerous websites utilizing this content management system. This exploitation poses a serious risk to users by potentially compromising their data and functionality of affected sites. Ghost CMS users, particularly those running outdated versions, should take immediate action to secure their systems. This incident highlights the ongoing need for vigilance in web security and the importance of keeping software up to date.

Recent reports indicate that the popular npm package 'node-ipc' has been compromised with a credential-stealing malware. This incident affects developers who rely on this package for their applications, potentially exposing sensitive user information. Additionally, a new group called TeamPCP has emerged, deploying clones of the Shai-Hulud malware, which may pose further risks to various systems. Moreover, active supply chain attacks have targeted '@antv' packages on npm, putting more developers at risk. The compromised GitHub Action 'actions-cool/issues-helper' has also been found to redirect all tags to malicious endpoints, heightening concerns over the security of widely-used development tools. Developers and organizations should take immediate precautions to secure their environments and monitor for any unusual activity.

Last week, the hacking group TeamPCP claimed to have breached GitHub's internal codebase by using a poisoned Visual Studio Code (VS Code) extension. GitHub, owned by Microsoft, confirmed the breach and has since launched an investigation into how their private code repositories were compromised. This incident raises serious concerns about the security of development tools widely used by programmers. Moreover, researchers recently discovered a critical flaw in NGINX, a popular web server software, which is being actively exploited. These incidents highlight the ongoing vulnerabilities in essential software and the need for robust security measures to protect sensitive information.

A recent supply chain attack has compromised Laravel Lang localization packages, leading to the distribution of credential-stealing malware. Attackers exploited GitHub version tags to insert malicious code into Composer packages, which are widely used by developers for PHP applications. This incident puts numerous developers at risk, as the malicious packages can steal sensitive information such as login credentials. Those using affected Laravel Lang packages need to be vigilant and check their dependencies to ensure they are not using compromised versions. The attack raises concerns about the security of open-source software and the potential for similar incidents in the future.

Italian officials have taken action against the CINEMAGOAL app, a piracy tool that illegally provided access to popular streaming services like Netflix, Disney+, and Spotify. The app was reportedly using stolen authentication codes to bypass payment systems, allowing users to access content without subscriptions. This crackdown is significant as it not only protects the intellectual property rights of these streaming platforms but also highlights ongoing challenges in combating online piracy. By dismantling this network, authorities aim to deter similar activities in the future and safeguard legitimate services. The action is part of a broader effort to enforce copyright laws and ensure users are not misled into using illegal services.

A new vulnerability, dubbed 'Underminr', affects around 88 million domains, allowing attackers to hide malicious connections behind trusted domain names. This exploit can bypass DNS filtering mechanisms, making it easier for cybercriminals to manage command-and-control traffic without detection. As a result, organizations that rely on these domains for security may be at greater risk of compromise. The vulnerability raises concerns about the effectiveness of current DNS security measures, as attackers can leverage this flaw to blend in with legitimate traffic. Companies and system administrators are urged to review their DNS filtering strategies to mitigate potential risks associated with this vulnerability.

Cybersecurity researchers have identified a software supply chain attack that compromised several PHP packages associated with Laravel-Lang. The affected packages include laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. These packages were manipulated to deliver a credential-stealing framework that could potentially affect developers and users utilizing these resources. This incident raises concerns about the security of software supply chains, particularly in open-source communities where such packages are widely used. Developers should remain vigilant and review their dependencies to ensure they are not using compromised versions of these packages.

A severe security vulnerability has been discovered in the LiteSpeed User-End cPanel Plugin, identified as CVE-2026-48172, which has a maximum CVSS score of 10.0. This flaw allows attackers to exploit incorrect privilege assignments, enabling them to execute arbitrary scripts with root privileges. As a result, any cPanel user, including potential attackers or compromised accounts, can take advantage of this vulnerability. The ongoing exploitation of this flaw poses significant risks to server security and data integrity, making it crucial for affected users to take immediate action. The situation emphasizes the need for vigilance among web hosts and cPanel users to prevent unauthorized access and maintain secure environments.

Based Apparel, a merchandise site linked to Kash Patel, was recently hacked to distribute infostealer malware aimed at stealing user credentials. This security incident came to light when a user on X shared the alarming news. The malware poses a serious risk to anyone who visited the site, as it can compromise sensitive information like login details. Users who made purchases or even just browsed the site should take immediate steps to protect their accounts, such as changing passwords and monitoring for suspicious activity. The attack underscores the ongoing risks associated with online shopping and the need for users to remain vigilant about their cybersecurity practices.

The Belarus-linked hacking group Ghostwriter, also known as UAC-0057 and UNC1151, has launched a multi-stage cyberattack targeting Ukraine. Researchers have identified that the group is using the Prometheus learning platform as bait to lure victims into their traps. This tactic raises concerns as it not only threatens the security of individuals and organizations in Ukraine but also highlights the ongoing cyber warfare linked to the conflict in the region. The implications are significant, as such attacks can disrupt critical infrastructure and undermine trust in digital platforms, especially in a time of heightened tensions. As the situation evolves, vigilance is essential for those engaged in online education and other sectors potentially impacted by these tactics.

A recent report by Hunt.io has uncovered over 1,350 command and control (C2) servers operating across 14 countries in the Middle East. Notably, Saudi Telecom Company (STC) has been linked to more than 72% of these servers, often through systems that have been compromised by attackers. This concentration of malicious infrastructure raises concerns for cybersecurity in the region, as it suggests that many customer systems are being exploited for nefarious purposes. The presence of so many C2 servers indicates a significant risk for data breaches and other cyber incidents, affecting both businesses and individuals who rely on these services. Stakeholders in the region should be vigilant and take steps to secure their networks.