Ghost CMS Mass Compromise via CVE‑2026‑26980 Fuels ClickFix Supply‑Chain Attacks on crates.io, npm & PyPI
What It Is — A newly disclosed CVE‑2026‑26980 in Ghost CMS allowed attackers to gain administrative access to thousands of Ghost installations, which were then leveraged to inject malicious payloads into popular open‑source package registries. The compromised packages now distribute the TrapDoor crypto‑stealer RAT across the Rust (crates.io), JavaScript (npm) and Python (PyPI) ecosystems.
Exploitability — Public exploit code for CVE‑2026‑26980 is available on GitHub; the supply‑chain payloads have been observed in the wild since early May 2026. CVSS v3.1 (estimated) = 8.5 (High).
Affected Products — Ghost CMS (all versions prior to the emergency patch released 2026‑06‑01); 34 third‑party packages across npm, PyPI and crates.io (including several widely‑used Rust crates).
TPRM Impact — Organizations that rely on these open‑source components inherit the risk of credential theft, ransomware deployment, and data exfiltration without direct control over the upstream code. The attack demonstrates how a single CMS vulnerability can cascade into a multi‑language supply‑chain crisis.
Recommended Actions —
- Immediately verify that all Ghost CMS instances are patched to the latest release (2026‑06‑01).
- Conduct an urgent SBOM audit to identify any of the 34 compromised packages in your codebase.
- Block or replace affected packages; enforce strict version pinning and provenance verification.
- Engage with registry maintainers (crates.io, npm, PyPI) to confirm removal of malicious releases.
- Update internal dependency‑scanning tools to flag the known malicious package hashes.