HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High ThreatIntel

Ghost CMS Mass Compromise via CVE‑2026‑26980 Fuels ClickFix Supply‑Chain Attacks on crates.io, npm & PyPI

A critical flaw in Ghost CMS (CVE‑2026‑26980) was exploited to plant the TrapDoor crypto‑stealer across 34 npm, PyPI and crates.io packages, exposing downstream developers to credential theft and ransomware. TPRM teams must patch Ghost, audit dependencies, and coordinate with registry operators.

LiveThreat™ Intelligence · 📅 June 01, 2026· 📰 securityaffairs.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
securityaffairs.com

Ghost CMS Mass Compromise via CVE‑2026‑26980 Fuels ClickFix Supply‑Chain Attacks on crates.io, npm & PyPI

What It Is — A newly disclosed CVE‑2026‑26980 in Ghost CMS allowed attackers to gain administrative access to thousands of Ghost installations, which were then leveraged to inject malicious payloads into popular open‑source package registries. The compromised packages now distribute the TrapDoor crypto‑stealer RAT across the Rust (crates.io), JavaScript (npm) and Python (PyPI) ecosystems.

Exploitability — Public exploit code for CVE‑2026‑26980 is available on GitHub; the supply‑chain payloads have been observed in the wild since early May 2026. CVSS v3.1 (estimated) = 8.5 (High).

Affected Products — Ghost CMS (all versions prior to the emergency patch released 2026‑06‑01); 34 third‑party packages across npm, PyPI and crates.io (including several widely‑used Rust crates).

TPRM Impact — Organizations that rely on these open‑source components inherit the risk of credential theft, ransomware deployment, and data exfiltration without direct control over the upstream code. The attack demonstrates how a single CMS vulnerability can cascade into a multi‑language supply‑chain crisis.

Recommended Actions

  • Immediately verify that all Ghost CMS instances are patched to the latest release (2026‑06‑01).
  • Conduct an urgent SBOM audit to identify any of the 34 compromised packages in your codebase.
  • Block or replace affected packages; enforce strict version pinning and provenance verification.
  • Engage with registry maintainers (crates.io, npm, PyPI) to confirm removal of malicious releases.
  • Update internal dependency‑scanning tools to flag the known malicious package hashes.

Source: Security Affairs Malware Newsletter Round 99

📰 Original Source
https://securityaffairs.com/192928/security/security-affairs-malware-newsletter-round-99.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →