A recently disclosed vulnerability, CVE-2026-26980, is being exploited to compromise Ghost CMS installations, which are now being used to launch ClickFix attacks. This vulnerability has significant implications, particularly given its potential connection to Iranian threat actors. Meanwhile, a crypto stealer known as TrapDoor has been discovered in a supply chain attack affecting 34 packages across npm, PyPI, and Crates.io, with hundreds of versions impacted. The Lazarus RAT, a remote access trojan, has also been found to reside in memory, evading detection. These developments highlight the evolving threat landscape, with Iranian APT groups, such as Serpens, continuing to wage espionage campaigns in 20261. The exploitation status of CVE-2026-26980 will determine whether this vulnerability requires immediate patching or ongoing monitoring, making it a critical concern for security practitioners.
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 99
⚡ High Priority
Why This Matters
CVE-2026-26980 is in active discussion involving Iran — exploitation status determines whether this is patch-now or monitor.
References
- SecurityAffairs. (2026, May 31). SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 99. SecurityAffairs. https://securityaffairs.com/192928/security/security-affairs-malware-newsletter-round-99.html
Original Source
SecurityAffairs
Read original →