Inferlume

How it Works
Pricing
About
Get Free Access →

Get Free Access

Last Updated On

DDAAIILLYY--22002266--00552255
CCrriittiiccaall
AAccttiivvee  EExxppllooiittaattiioonn  CCoonnffiirrmmeedd

Ghost CMS & Drupal Exploitation, Apex One Zero-Day, and Calypso Espionage

Active exploitation of Ghost CMS, Drupal, and Microsoft Defender joins a critical TanStack supply chain breach and Calypso telco espionage, demanding emergency patching and CI/CD secret rotation today.

9.9

CVSS Score

6

IOC Count

18

Source Count

85

Confidence Score

CVEs

CVE-2026-26980, CVE-2026-9082, CVE-2026-34926, CVE-2025-34291, CVE-2026-41091, CVE-2026-45498, CVE-2026-45584, CVE-2026-41940

Actors

Calypso, Red Lamassu, TeamPCP, Under Attribution

Sectors

Telecommunications, Government, Technology, Web Hosting, DevOps/Software Development, Gaming, Financial Services, Higher Education

Regions

Global

Chapter 01 - Executive Overview

Over the past 24 to 72 hours, exploitation of perimeter platforms (Ghost CMS, Drupal) and internal endpoints (Microsoft Defender, Trend Micro Apex One) has escalated into broadly confirmed, in-the-wild activity. These vulnerability exploitation waves are compounded by a confirmed software supply chain attack affecting DevOps pipelines and a state-sponsored cyber-espionage campaign against global telecommunications infrastructure.

Ghost CMS SQLi — Critical — Higher Education & Content

  • Threat overview: CVE-2026-26980 is a critical unauthenticated SQL injection in Ghost CMS’s Content API allowing attackers to read database contents, including API keys.

  • Strategic risk context: Exploitation via public Content APIs facilitates multi-tenant visitor compromise and downstream data theft. Injected JavaScript is triggering ClickFix-style social engineering flows.

  • Severity and business impact: Affected organizations (including universities) face content integrity loss, user data theft, and brand damage if their domains serve malware.

  • Confidence in available intelligence: High; corroborated by multiple technical vendor analyses and confirmed broad exploitation.

  • Urgent Decision: Escalate immediately and verify Ghost exposure, version, and patch status across all web properties.

Drupal Core SQLi — Critical — Gaming & Financial Services

  • Threat overview: CVE-2026-9082 is an actively exploited SQL injection flaw in Drupal core’s PostgreSQL EntityQuery handler. Over 15,000 attempts have been logged globally.

  • Strategic risk context: Added to CISA’s KEV catalog, this vulnerability allows unauthenticated access to PostgreSQL-backed Drupal configurations, exposing credentials and enabling RCE pathways.

  • Severity and business impact: Exploitation directly threatens database confidentiality for customer-facing web apps.

  • Confidence in available intelligence: High; backed by Drupal advisories, vendor telemetry, and CISA confirmation.

  • Urgent Decision: Enforce emergency patching for all PostgreSQL-backed Drupal instances utilizing JSON:API or Views.

Apex One Zero-Day — High — Enterprise

  • Threat overview: CVE-2026-34926 is an actively exploited directory traversal flaw in Trend Micro Apex One (on-premise), allowing code injection to all managed agents via compromised admin accounts.

  • Strategic risk context: A second-stage lateral spread tool, attackers are utilizing existing footholds to poison EDR infrastructure directly.

  • Severity and business impact: Enterprise-wide compromise is achievable if the management server is breached, triggering mandatory KEV remediation.

  • Confidence in available intelligence: High; confirmed by vendor bulletin and CISA KEV.

  • Urgent Decision: Apply the Trend Micro security bulletin patch immediately across on-premise deployments.

Defender LPE/DoS — High — Enterprise Endpoints

  • Threat overview: Two Defender flaws, CVE-2026-41091 (LPE to SYSTEM) and CVE-2026-45498 (DoS), are being exploited to disable endpoint protection post-compromise.

  • Strategic risk context: Used to broaden blast radiuses, attackers are actively disabling standard telemetry to execute ransomware or data exfiltration quietly.

  • Severity and business impact: Unpatched systems suffer degraded EDR coverage and silent privilege escalation.

  • Confidence in available intelligence: High; Microsoft and independent analyses align on in-the-wild exploitation.

  • Urgent Decision: Verify Defender platform versions globally and push updates to non-compliant hosts.

TanStack Supply Chain — High — DevOps & Technology

  • Threat overview: The "Mini Shai-Hulud" campaign poisoned TanStack/Nx Console npm packages, resulting in confirmed breaches at GitHub (3,800 internal repos) and Grafana.

  • Strategic risk context: Threat actors leveraged unrotated GitHub Actions tokens to escalate from compromised packages to source code repositories.

  • Severity and business impact: Source code exposure and compromised CI/CD pipelines introduce high operational and intellectual property risks.

  • Confidence in available intelligence: Medium; exploitation paths are verified, though threat actor attribution remains single-sourced.

  • Urgent Decision: Audit all CI/CD secrets and rotate tokens tied to npm dependency workflows immediately.

Calypso Espionage — High — Telecommunications

  • Threat overview: China-aligned actors (Calypso/Red Lamassu) are deploying modular Linux ("Showboat") and Windows ("JMFBackdoor") implants against APAC and Middle East telcos.

  • Strategic risk context: Persistent espionage leveraging DLL-sideloading and kworker masquerading highlights a deeply embedded threat actor ecosystem.

  • Severity and business impact: Critical infrastructure faces prolonged intelligence gathering and potential operational disruption.

  • Confidence in available intelligence: Medium; based on dual Tier-1 intelligence reports, but initial access vectors remain unknown.

  • Urgent Decision: Initiate threat hunts across telecommunications networks for known dead-drop C2 patterns and sideloading artifacts.

Today's Intelligence Quality

Intelligence is robust regarding vulnerability mechanics and patching timelines, bolstered by CISA KEV confirmations. However, raw infrastructure IOCs and initial access details for the espionage and supply chain campaigns remain partially abstracted or pending enrichment.

Chapter 02 - Threat & Exposure Analysis

The threat landscape is defined by aggressive, unauthenticated perimeter breaches combined with sophisticated lateral movement leveraging compromised security tooling (Defender, Apex One) and developer pipelines.

CVE-2026-26980: Ghost CMS Content API Exploitation

  • Attack progression: Attackers target the Ghost Content API with crafted slug:[...] payloads in GET requests, manipulating the ORDER BY clause to read database contents via blind SQL injection. Exfiltrated API keys are then used to inject malicious JS.

  • Exploitability: CVSS 9.4. Unauthenticated network access. Affects versions 3.24.0–6.19.0.

  • Campaign indicators: Injected scripts execute ClickFix social engineering attacks against site visitors.

  • Threat actor identity and aliases: Under Attribution.

  • Infrastructure fingerprinting: Highly distributed; no shared C2 clusters publicly identified.

  • Sector exposure: Higher education (Harvard, Oxford explicitly named) and web content platforms.

  • Geographic exposure: Global domain targets.

  • MITRE ATT&CK tactics: [NOT CONFIRMED IN SOURCES]

CVE-2026-9082: Drupal PostgreSQL SQL Injection

  • Attack progression: Crafted requests via JSON:API or Views endpoints pass unsanitized array keys into PostgreSQL placeholder names inside the EntityQuery abstraction, leaking data or enabling RCE.

  • Exploitability: CVSS 6.5 (Drupal risk 23/25). Unauthenticated. Actively exploited.

  • Campaign indicators: Over 15,000 attempts recorded across 6,000 domains.

  • Threat actor identity and aliases: Under Attribution (Mass opportunistic scanning).

  • Infrastructure fingerprinting: Sourced from highly variable global IPs.

  • Sector exposure: Gaming and Financial Services (representing ~50% of targeted activity).

  • Geographic exposure: 65 countries.

  • MITRE ATT&CK tactics: Initial Access, Persistence.

CVE-2026-34926: Trend Micro Apex One Exploitation

  • Attack progression: A pre-authenticated attacker with admin credentials leverages directory traversal on the Apex One server to modify tables, injecting malicious code that automatically propagates to all managed EDR agents.

  • Exploitability: High. CISA KEV listed. Requires pre-existing admin access.

  • Campaign indicators: Post-compromise lateral movement via security infrastructure.

  • Threat actor identity and aliases: Under Attribution.

  • Sector exposure: Enterprise environments utilizing on-premise Apex One.

  • Geographic exposure: Global.

  • MITRE ATT&CK tactics: [NOT CONFIRMED IN SOURCES]

CVE-2026-41091 / CVE-2026-45498: Defender LPE and DoS

  • Attack progression: Attackers exploit improper link resolution in the Malware Protection Engine to elevate to SYSTEM (41091), or trigger logic flaws to crash the AV service (45498), protecting follow-on malware.

  • Exploitability: Local access required. Both actively exploited.

  • Threat actor identity and aliases: Under Attribution.

  • Sector exposure: Broad enterprise Windows deployments.

  • Geographic exposure: Global.

TeamPCP: TanStack npm Cascade to GitHub and Grafana

  • Attack progression: Attackers published malicious npm packages (TanStack, Nx Console). CI/CD pipelines pulled these dependencies, extracting environment variables. Attackers used stolen GitHub Actions tokens to breach 3,800 GitHub internal repos and Grafana source code.

  • Exploitability: High. Exploits implicit trust in dependency resolution.

  • Campaign indicators: Harvesting of .env files and workflow secrets.

  • Threat actor identity and aliases: TeamPCP.

  • Sector exposure: DevOps, Technology, Software Development.

  • Geographic exposure: Global.

Calypso / Red Lamassu: Asian Telecom Espionage Tooling

  • Attack progression: Attackers deploy "Showboat" on Linux (masquerading as a kworker process for SOCKS5 proxying/C2) and "JMFBackdoor" on Windows (loaded via fltMC.exe DLL-sideloading).

  • Campaign indicators: Dead-drop resolution via Pastebin; encrypted exfiltration.

  • Threat actor identity and aliases: Calypso, Red Lamassu.

  • Sector exposure: Telecommunications.

  • Geographic exposure: Asia-Pacific, Middle East.

  • MITRE ATT&CK tactics: Execution, Defense Evasion, Command and Control, Collection.

Cross-Incident Pattern Analysis

Threat actors are aggressively targeting the software supply chain and native security tooling simultaneously. Apex One and Defender exploits demonstrate a clear tactical shift toward weaponizing the defender's own control plane, while the TanStack campaign illustrates how easily developer environments can be pivoted into global infrastructure breaches.

Chapter 03 - Operational Response

Immediate perimeter patching must be paired with deep audits of internal endpoints and CI/CD pipelines to disrupt lateral movement.

Ghost CMS SQLi: Immediate Response & Containment

Containment Priorities:

  1. Enumerate all Ghost CMS instances and identify versions 3.24.0–6.19.0.

  2. Upgrade all vulnerable installations to version 6.19.1 immediately.

  3. Rotate all admin passwords, session secrets, Admin API keys, and Content API keys post-patch.

Security Hardening Actions:

  • Tune WAF rules to detect Ghost Content API requests containing slug:[ or slug%3A%5B combined with SQL keywords (CASE, WHEN).

  • Implement rate limiting on /ghost/api/content/.

Internal Security Coordination:

  • Notify content and marketing teams that sites may be distributing ClickFix malware.

  • Escalate immediately if unauthorized JS is found in Ghost templates.

Drupal Core SQLi: Immediate Response & Containment

Containment Priorities:

  1. Identify all PostgreSQL-backed Drupal deployments running JSON:API or Views.

  2. Upgrade to patched branches (e.g., 10.6.9, 11.3.10) immediately.

Security Hardening Actions:

  • Restrict direct internet exposure of JSON:API endpoints to necessary networks.

  • Rotate privileged PostgreSQL roles used by Drupal where compromise is suspected.

Internal Security Coordination:

  • Engage application owners for gaming/finance properties first.

  • Coordinate with DBAs to review PostgreSQL logs for malformed array queries.

Apex One Zero-Day: Immediate Response & Containment

Containment Priorities:

  1. Apply the Trend Micro security bulletin patch (May 2026 SEP) to all on-premise Apex One servers.

  2. Audit all accounts with administrative access to the Apex One console.

Security Hardening Actions:

  • Validate lateral movement alerts around the Apex One management server.

Internal Security Coordination:

  • Treat any unpatched Apex One server with compromised admin credentials as a P0 internal breach.

Defender LPE/DoS: Immediate Response & Containment

Containment Priorities:

  1. Confirm all Windows endpoints run Defender versions 1.1.26040.8 and 4.18.26040.7 or higher.

  2. Ensure Windows Update/WSUS is successfully distributing platform updates.

Security Hardening Actions:

  • Enable tamper protection to prevent unprivileged service manipulation.

Internal Security Coordination:

  • Alert SOC teams to investigate any endpoint where Defender crashes or goes offline.

TanStack Supply Chain: Immediate Response & Containment

Containment Priorities:

  1. Audit all npm packages pinned to TanStack, Mistral AI, or Nx Console for malicious versions.

  2. Rotate all GitHub Actions secrets, workflow tokens, and CI/CD credentials.

Security Hardening Actions:

  • Verify Composer package integrity for Laravel Lang packages (impacted by parallel campaign).

Internal Security Coordination:

  • Escalate any CI/CD token misuse to the incident response team.

Calypso Espionage: Immediate Response & Containment

Containment Priorities:

  1. [RESPONSE STEPS REQUIRE VENDOR ADVISORY CONFIRMATION BEFORE EXECUTION] (Network isolation upon positive detection).

Security Hardening Actions:

  • Audit fltMC.exe execution paths for DLL-sideloading.

  • Hunt for kworker processes with anomalous outbound SOCKS5 connections.

Internal Security Coordination:

  • Telco defenders must share telemetry with regional ISACs.

Defender Priority Order (Today)

  1. Ghost CMS CVE-2026-26980: Critical, unauthenticated SQLi with active exploitation and data exfiltration against high-profile sites.

  2. Drupal CVE-2026-9082: Actively exploited SQLi against PostgreSQL instances, heavily targeting gaming/finance.

  3. TanStack Supply Chain: Active propagation through CI/CD pipelines requires immediate secret rotation.

  4. Apex One & Defender Exploits: High-priority internal updates to prevent lateral movement and AV evasion.

Ghost CMS SQLi — Timeline

2026-02-17 — Positive Technologies (dbugs) publishes a detailed analysis of CVE-2026-26980. 2026-04-22 — SonicWall documents CVE-2026-26980 as a critical CVSS 9.4 flaw. 2026-05-07 — XLab Qianxin detects a Ghost CMS poisoning incident in the wild. 2026-05-23 — BleepingComputer reports a large-scale campaign injecting ClickFix JS payloads.

Drupal Core SQLi — Timeline

2026-05-19 — CVE-2026-9082 disclosed (Status: Theoretical). 2026-05-21 — Exploitation attempts confirmed; CISA adds CVE-2026-9082 to KEV. 2026-05-22 — BleepingComputer confirms 15,000 attempts across 65 countries.

Apex One Zero-Day — Timeline

2026-05-20 — Trend Micro CVE-2026-34926 confirmed exploited. 2026-05-21 — CISA adds Apex One flaw to KEV (Deadline June 4).

Defender LPE/DoS — Timeline

2026-05-20 — Microsoft discloses active exploitation of CVE-2026-41091 and CVE-2026-45498. 2026-05-20 — CISA adds both flaws to KEV (Deadline June 3).

TanStack Supply Chain — Timeline

2026-05-19 — Attack detected; Grafana breach identified. 2026-05-21 — GitHub confirms 3,800 repository breach via Nx Console vector. 2026-05-23 — Laravel Lang Composer supply chain attack disclosed.

Calypso Espionage — Timeline

2026-05-21 — Lumen and PwC publish joint Calypso/Red Lamassu malware report documenting active exploitation since mid-2022.

Chapter 04 - Detection Intelligence

CVE-2026-26980: Ghost Content API SQLi

  • Attack vector: Network.

  • Exploitation mechanism: Unsanitized slug values concatenate into SQL CASE statements inside the ORDER BY clause.

  • Observed behavior: Blind SQL injection leads to Admin API key extraction and JavaScript injection.

  • Vulnerability details: Affects Ghost 3.24.0–6.19.0.

  • CVE technical context: CVSS 9.4 (GHSA-w52v-v783-gw97).

  • Patch status: Patched in 6.19.1.

CVE-2026-9082: Drupal Core PostgreSQL SQLi

  • Attack vector: Network.

  • Exploitation mechanism: PHP array keys bypass JSON:API/Views sanitization, reaching the PostgreSQL driver (EntityQuery/Condition.php) to become attacker-controlled SQL placeholders.

  • Observed behavior: Unauthenticated RCE, information disclosure, and data modification.

  • Vulnerability details: Affects Drupal 8.x through 11.3.x on PostgreSQL backends.

  • CVE technical context: CVSS 6.5.

  • Patch status: Patched in 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, 11.3.10.

CVE-2026-34926: Apex One Directory Traversal

  • Attack vector: Network (Post-Authentication).

  • Exploitation mechanism: Pre-authenticated admin utilizes directory traversal to modify server tables.

  • Observed behavior: Code injected into the server propagates to all endpoint agents.

  • Vulnerability details: On-premise Apex One deployments.

  • Patch status: Patched in May 2026 SEP bulletin.

Defender CVE-2026-41091 & CVE-2026-45498

  • Attack vector: Local.

  • Exploitation mechanism: Improper link resolution (41091) elevating privileges; logic flaws (45498) triggering AV denial-of-service.

  • Patch status: Addressed in platform versions 1.1.26040.8 and 4.18.26040.7.

Calypso: Showboat & JMFBackdoor Mechanics

  • Attack vector: Unknown Initial Access.

  • Exploitation mechanism: "Showboat" (Linux) masquerades as a kernel worker for SOCKS5 proxying and dead-drop C2 via Pastebin. "JMFBackdoor" (Windows) is loaded via a batch script side-loading FLTLIB.dll into fltMC.exe.

  • Observed behavior: Espionage, registry manipulation, screen capture.

Consolidated Threats — Indicators & Infrastructure

Indicators of Compromise:

Type

Value

Context

Verdict

CVE ID

CVE-2026-9082

Drupal Core SQLi

Pending

CVE ID

CVE-2026-34926

Trend Micro Apex One

Pending

CVE ID

CVE-2025-34291

Langflow

Pending

Malware Family

Showboat

Linux kworker implant

Pending

Malware Family

JMFBackdoor

Windows DLL sideloading

Pending

Process Masquerade

kworker

Anomalous context

Pending

Infrastructure Patterns:

  • Ghost CMS attacks rely on HTTP GET requests to /ghost/api/content/ with slug:[ parameters.

  • Drupal scanning originates from diverse global IPs with no identified C2 clusters.

  • Calypso utilizes Pastebin and online forums for dead-drop C2 resolution.

SQL Injection Vectors: Detection Opportunity — Ghost & Drupal

Detection Engineering Opportunities:

  • Alert on HTTP requests to Ghost APIs containing slug:[ combined with SQL commands (CASE, WHEN).

  • Monitor PostgreSQL logs for malformed parameter errors originating from Drupal JSON:API endpoints.

Detection Context Quality:

  • Data source requirements: Web server access logs, reverse proxy logs, PostgreSQL logs.

  • Known detection gaps: Encrypted traffic bypassing off-box WAFs limits query string visibility.

Threat Hunting Hypotheses:

  • Hypothesis: Ghost logs indicate repetitive probing on /ghost/api/content/ followed by administrative content modifications.

  • Evidence target: Access logs correlated with application logs.

SIEM / EDR / Network Monitoring Signals:

  • SIEM: Repeated HTTP 500 errors from Drupal instances handling large request volumes.

  • Immediate detection action: Implement WAF rules blocking slug:[ on Ghost deployments today.

Defender & Apex One: Detection Opportunity — EDR Manipulation

Detection Engineering Opportunities:

  • Detect endpoints where Defender services crash repeatedly.

  • Monitor TrendMicroApexOneLogs for directory traversal paths (..) coupled with policy pushes from non-system accounts.

SIEM / EDR / Network Monitoring Signals:

  • SIEM: Correlate Defender service failures with subsequent SYSTEM privilege escalations.

  • Immediate detection action: Create alerts for AV service stops occurring outside maintenance windows.

Calypso Tooling: Detection Opportunity — Espionage Implants

SIEM / EDR / Network Monitoring Signals:

  • EDR: Monitor for fltMC.exe execution outside of C:\Windows\System32, loading FLTLIB.dll.

  • Network: Flag Linux kworker processes opening outbound network sockets.

  • Hunt this week: Deploy queries searching for DLL-sideloading artifacts mapped in Calypso campaigns.

T1190 — Exploit Public-Facing Application — Initial Access

  • Incident: Drupal Core SQLi

  • How it applies: Unauthenticated SQLi via JSON:API endpoints allows direct database exploitation.

  • Detection opportunity: WAF logging of abnormal array key structures.

T1574.002 — DLL Side-Loading — Defense Evasion / Persistence

  • Incident: Calypso JMFBackdoor

  • How it applies: The threat actor uses fltMC.exe to sideload malicious FLTLIB.dll libraries.

  • Detection opportunity: EDR flagging abnormal parent-child process relationships.

T1195.002 — Compromise Software Supply Chain — Initial Access

  • Incident: TanStack Supply Chain

  • How it applies: Poisoned npm dependencies automatically execute malicious code in CI/CD pipelines.

  • Detection opportunity: Software Bill of Materials (SBOM) validation and integrity checks.

(Note: Ghost CMS and Microsoft Defender KEV flaws lack explicit MITRE ATT&CK mapping in available source reporting.)

Chapter 05 - Governance, Risk & Compliance

Ghost CMS & Drupal: Regulatory & Business Risk Exposure

Regulatory Exposure:

  • Organizations regulated under NIS2, GDPR, or HIPAA must evaluate breach notification triggers if Ghost session secrets or Drupal PostgreSQL databases have been compromised. KEV inclusion demands federal patching by May 27 (Drupal).

Business Risk Impact:

  • Operational risk: Public-facing sites may serve ClickFix malware, resulting in domain blacklisting and visitor compromise.

  • Reputational risk: Exploited domains carry heavy brand damage, especially in higher education and finance sectors.

  • Financial risk: Elevated incident response costs for forensic database reconstruction.

Threat Actor Attribution:

  • No confirmed attribution available at this time.

TanStack Supply Chain: Regulatory & Business Risk Exposure

Regulatory Exposure:

  • CISA SBOM guidelines require federal contractors to maintain software integrity. SSDF (NIST SP 800-218) practices apply heavily here.

Business Risk Impact:

  • Operational risk: Hardcoded secrets and infrastructure tokens extracted from CI/CD environments grant deep enterprise access.

Defender & Apex One KEVs: Regulatory & Business Risk Exposure

Regulatory Exposure:

  • Federal agencies must patch Defender flaws by June 3, 2026, and Apex One by June 4, 2026.

Business Risk Impact:

  • Operational risk: Threat actors are systematically blinding security tooling to facilitate ransomware payloads without triggering telemetry.

Board-Level Risk Summary (Today)

The simultaneous active exploitation of edge web systems (Ghost, Drupal), software supply chains (npm), and endpoint security platforms (Defender, Apex One) presents a compounded risk environment. Rapid deployment of out-of-band patches and emergency token rotations are necessary this week to prevent widespread operational compromise and data exfiltration.

Chapter 06 - Adversary Emulation

Consolidated Threats: Validation & Purple Team Scenarios

Detection Validation Scenarios:

  • Scenario A (T1190): Stand up a vulnerable Drupal instance (PostgreSQL) and send HTTP GET requests to /jsonapi/node/article with array-key injection payloads. Validate WAF block functionality.

  • Scenario B (T1574.002): Simulate a batch script dropping fltMC.exe alongside a benign FLTLIB.dll in a user-writable path. Verify SIEM surfaces image load events outside System32.

  • Scenario C (T1036.005 / T1090.001): Deploy a process named kworker on a Linux test host and initiate an outbound SOCKS5 connection. Validate EDR and network flow correlation.

ATT&CK-Aligned Security Testing:

  • Focus entirely on defensive logging verification. Ensure endpoint telemetry correctly maps parent-child process anomalies without risking production stability.

Intelligence Confidence85%

Score reflects broad, multi-source corroboration across multiple Tier-1 vendors, CISA KEV validation for actively exploited flaws, offset by missing granular IOC data and unclear attribution for the Ghost, Drupal, and Microsoft campaigns.