https://hackingpassion.com/tags/clickfix/Recent content in Clickfix on HackingPassion.com : root@HackingPassion.com-[~]HugoenTue, 26 May 2026 12:51:20 +0200https://hackingpassion.com/ghost-cms-cve-2026-26980/Tue, 26 May 2026 12:51:20 +0200https://hackingpassion.com/ghost-cms-cve-2026-26980/<p>A <strong>SQL injection vulnerability</strong> in <strong>Ghost CMS</strong> has turned Harvard University, Oxford University, and DuckDuckGo into malware distribution platforms. Visitors arrive at a page they trust completely, a fake Cloudflare verification prompt appears, and their machine gets infected if they follow the instructions. More than <strong>700 sites</strong>. Software that had never had an unauthenticated critical vulnerability in its entire history.</p> <p><strong>Ghost CMS</strong> is publishing software built on Node.js, used for newsletters, membership sites, and independent blogs. It is open source and free to self-host, with a paid hosted version called Ghost Pro. More than <strong>100,000 active installations</strong> and more than <strong>50,000 GitHub stars</strong>.</p>https://hackingpassion.com/reaper-shub-macos-stealer/Tue, 19 May 2026 10:52:16 +0200https://hackingpassion.com/reaper-shub-macos-stealer/<p>Reaper swipes macOS passwords and crypto wallets, backdoors the machine, and pretends to be Apple, Microsoft, and Google in the same attack. Apple shipped an update in March to stop exactly this. Reaper already bypasses it.</p> <p>Reaper belongs to a malware family called <strong>SHub Stealer</strong>, active since April 2025. SHub grew out of an earlier macOS stealer called <strong>MacSync</strong>, which itself was built on a foundation called <strong>Mac.c</strong>, first spotted in April 2025. Within months it turned into a commercial crime service, meaning the people who built the infrastructure rent access to different operators who run their own campaigns with their own targets and lures. Researchers at <strong>Malwarebytes</strong>, <strong>Jamf</strong>, <strong>Moonlock</strong>, and <strong>Microsoft&rsquo;s Defender Security Research team</strong> had already documented earlier variants, but this version of Reaper does things none of the earlier builds could: a bypass of Apple&rsquo;s latest security update, a persistent backdoor that survives reboots, and a method for permanently hijacking installed crypto wallet applications without triggering a single security warning.</p>https://hackingpassion.com/macsync-clickfix-claude/Tue, 12 May 2026 11:37:35 +0200https://hackingpassion.com/macsync-clickfix-claude/<p><strong>MacSync</strong> is spreading through <strong>Google ads</strong> that lead directly to <strong>claude.ai</strong>. The installation guide there was written by Claude itself. One Terminal command and the malware is running, your credentials are gone, and your crypto wallet applications have been replaced.</p> <p>Security researcher <strong>Berk Albayrak</strong> spotted an active version of this campaign on <strong>May 9, 2026</strong> and posted his findings on X. Researcher <strong>g0njxa</strong> also published findings on X tracing the campaign infrastructure. <strong>BleepingComputer</strong> independently confirmed a second variant running on completely separate infrastructure.</p>