Unpatched Ghost CMS Flaw CVE-2026-26980 Hijacks 700 Sites in ClickFix Campaign

Attackers are exploiting CVE-2026-26980, a CVSS 9.4 SQL-injection flaw in Ghost CMS, to hijack more than 700 websites — Harvard, Oxford, and DuckDuckGo among them — and serve visitors a fake-CAPTCHA ClickFix lure. The flaw was patched three months ago.

What Is Malware? Types, How It Spreads, and How to Remove It

A complete guide to malware — the major types, how it spreads and infects devices, the warning signs of an infection, and how to remove and prevent it.

Anthropic Says Project Glasswing's Mythos Surfaced More Than 10,000 Vulnerabilities in a Month

Anthropic says Project Glasswing's Claude Mythos Preview has surfaced more than 10,000 high- or critical-severity vulnerabilities in roughly a month. The numbers move the defender bottleneck: finding flaws is no longer the hard part — verifying, disclosing, and patching them is.

Packagist Supply-Chain Attack Hid Its Malware in package.json, Not composer.json

A coordinated attack on Packagist, the PHP package registry, poisoned eight Composer packages by hiding malicious code in package.json — the JavaScript manifest — instead of composer.json, exploiting the blind spot where PHP and JavaScript toolchains coexist but are reviewed separately.

npm Makes Staged Publishing Generally Available — a 2FA-Gated Step Now Guards the Registry

GitHub has made npm staged publishing generally available. A direct publish no longer ships a package; the tarball waits in a stage queue until a maintainer passes a 2FA challenge to approve it. It is the first ecosystem-level structural answer to the 2026 supply-chain wave.

Incident Response: The Complete Guide

A complete guide to incident response — the six-phase lifecycle, the response team, plans and playbooks, frameworks, and the practices that limit breach damage.

Europol's Project A.S.S.E.T. Runs Its Largest-Ever Asset-Tracing Week With 31 Countries

Between May 19 and 22, Europol hosted the third and most successful operational week of Project A.S.S.E.T., bringing 31 countries and more than 40 agencies into one room to trace criminal money. The result: hundreds of bank accounts and crypto wallets identified.

FBI Warns of Kali365: Telegram-Sold Phishing Kit Steals Microsoft 365 Tokens Past MFA

The FBI's IC3 has warned organizations about Kali365, a Telegram-sold phishing-as-a-service kit that runs device-code phishing against Microsoft 365 — stealing the OAuth tokens issued after the victim genuinely passes MFA on Microsoft's real sign-in page.

Laravel-Lang Supply-Chain Attack: 700+ Malicious Git Tags, Official Repo Untouched

Researchers found more than 700 malicious version tags published across the Laravel-Lang PHP project on May 22-23, 2026 — yet the official repositories were never modified. The attacker pointed Git tags at a fork they controlled to drop a credential stealer.

Underminr Flaw Revives Domain Fronting, Affecting 88 Million Domains, ADAMnetworks Says

Researchers at ADAMnetworks disclosed Underminr, a domain-fronting-style flaw they say affects roughly 88 million domains. Its defining property is invisibility: because the TLS SNI and HTTP Host header match, the CDN-side checks built to kill domain fronting never trigger.

LiteSpeed cPanel Plugin Flaw CVE-2026-48172 Lets Any Account Run Code as Root, Exploited Now

CVE-2026-48172, a CVSS 10.0 flaw in the LiteSpeed User-End cPanel plugin, lets anyone with a valid cPanel account run code as root. LiteSpeed confirms it is being actively exploited. On shared hosting, one cheap account is now a path to every account on the server.

Vulnerability Management: The Complete Guide

A complete guide to vulnerability management: what vulnerabilities are, how they are scored and disclosed, the management lifecycle, and how to build a program.