May 25, 2026 by sig9

Hacker Wars - May 25, 2026

bulletin-feature-image

Your daily dose of infosec chaos

Sunday’s supposed to be quiet, but the supply chain attackers didn’t get the memo. Today we’ve got breaches, GitHub repo infections, and a Ghost CMS vuln being actively exploited. If your dependencies looked clean yesterday, you might want to double-check.

DocketWise Breach Exposes 143,000 Users’ Most Sensitive Data

Legal tech platform DocketWise got hit, and it’s bad. Attackers accessed names, addresses, Social Security numbers, financial info, and medical records through compromised third-party partner repositories. This is a textbook example of why your vendor risk management program matters - your data is only as secure as the weakest contractor holding it.

What to do: If you use DocketWise, monitor your credit and financial accounts immediately. For everyone else, review what sensitive data your third-party partners actually store on your behalf.

Megalodon Infects Over 5,500 GitHub Repositories

A supply chain campaign dubbed “Megalodon” has been quietly poisoning GitHub repos by injecting malicious Actions workflows through fake automated commits. The payloads steal credentials, CI secrets, API keys, and tokens straight from your build pipeline. Over 5,500 repos compromised - that’s not a typo.

What to do: Audit your GitHub Actions workflows for unexpected changes. Enable branch protection rules and require review for workflow file modifications. Rotate any CI/CD secrets that may have been exposed.

TrapDoor Hits npm, PyPI, and CratesIO Simultaneously

Three package ecosystems, one coordinated attack. The TrapDoor campaign planted over 34 malicious packages across npm, PyPI, and Crates.io in 384+ versions, all designed to exfiltrate credentials. Cross-ecosystem attacks are becoming the norm, not the exception.

What to do: Review recently installed dependencies in your projects. Use lockfiles and verify package integrity hashes. Consider tools like Socket or Snyk to catch malicious packages before they reach your build.

Ghost CMS SQL Injection Powers Large-Scale ClickFix Campaign

CVE-2026-26980, a critical SQL injection in Ghost CMS, is being actively exploited to inject malicious JavaScript that triggers ClickFix social engineering flows. If you run Ghost and haven’t patched, assume compromise. The attackers are automating this at scale.

What to do: Patch Ghost CMS immediately if you haven’t already. Check your Ghost instances for injected JavaScript. If you find suspicious scripts, treat it as a full incident and audit everything.

That’s the chaos for today. Stay sharp out there.

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

This bulletin is provided for informational purposes. Contact us for tailored security analysis.