The Lyceum: Cyber Intelligence Daily — May 25, 2026

Three stories anchor today, and they all rhyme: developer trust is being weaponized. A coordinated supply-chain campaign called TrapDoor is poisoning npm, PyPI, and Crates.io to drain crypto wallets and SSH keys — and, in a first, planting hidden instructions inside AI coding-assistant config files. A Ghost CMS SQL injection flaw is being mass-exploited to rewrite articles on more than 700 sites, including Harvard and Oxford, into fake Cloudflare verification traps. And a CVSS 10.0 in LiteSpeed's cPanel plugin is handing any logged-in shared-hosting user a root shell, with opportunistic exploitation already in the wild.

• CVE-2026-48172 — LiteSpeed User-End cPanel Plugin before 2.4.5: patch available (v2.4.7 / WHM plugin 5.3.1.0), actively exploited in the wild since May 2026, no NVD score yet — privilege escalation to root from any authenticated cPanel user.
• CVE-2026-26980 — Ghost CMS v3.24.0–v6.19.0: patched in v6.19.1, actively exploited at scale, CVSS 9.4 per SonicWall — unauthenticated blind SQL injection in the Content API leaking Admin API keys.
• CVE-2026-32202 — Microsoft Windows: added to CISA KEV, actively exploited, no NVD score yet — Protection Mechanism Failure class bug, indicative of a security-boundary bypass.
• CVE-2026-31431 — Linux Kernel ("Copy Fail"): added to CISA KEV, mainline fix committed April 1 but vendor packages still rolling out, public PoC released, no NVD score yet — local privilege escalation affecting every mainstream distribution.
• CVE-2026-4115 — PuTTY 0.83: patched upstream, public PoC exists but real-world validity disputed, no NVD score yet — improper Ed25519 signature verification.
• TrapDoor — credential-stealing malware across 34+ packages and 384+ versions on npm, PyPI, and Crates.io; actively distributing since May 22, with some packages still live at time of writing.

If you work in crypto, DeFi, AI, or Solana development and installed any new packages over the long weekend, read this first.

Socket researchers have identified an active credential-stealing campaign spanning npm, PyPI, and Crates.io — the three dominant package registries for JavaScript, Python, and Rust — with more than 34 malicious packages and 384+ related versions, some already removed and others still live. Socket calls the campaign TrapDoor. Per The Hacker News, it launched May 22 and rolled out in waves through the weekend, abusing npm install hooks, Python imports, and Rust build scripts for execution and persistence.

The packages wear plausible names — prompt-engineering-toolkit, solidity-deploy-guard, defi-threat-scanner — exactly the kind of thing a developer in those communities pulls down without a second look. Once installed, TrapDoor harvests SSH keys, Solana/Sui/Aptos wallet keystores, AWS credentials, GitHub tokens, browser login databases, crypto wallet extension data, environment variables, and API keys, per Cyber Kendra.

Here's the part that should make you stop scrolling. TrapDoor is the first publicly reported supply-chain campaign observed targeting AI coding assistants. The attacker modifies .cursorrules and CLAUDE.md files — the configuration files that tools like Cursor and Claude Code read to shape how they assist developers — and injects hidden instructions using zero-width Unicode characters to coerce the AI into running credential exfiltration under the cover of a "security scan." To scale this, Cryptika reports the actor used the GitHub account ddjidd564 to submit pull requests carrying poisoned config files to LangChain, MetaGPT, and OpenHands.

This expands the threat model from "don't run untrusted code" to "don't let your AI assistant read untrusted text." Prompt injection moves from research curiosity to a credible supply-chain vector. What failure looks like: ecosystem registries get faster at detection, AI tool vendors start treating config files as untrusted input, and TrapDoor becomes a footnote. The signal to watch is whether new poisoned packages keep appearing under fresh maintainer accounts — that tells you the playbook is being industrialized, not abandoned. If you installed anything matching the IoCs, rotate AWS, GitHub, and SSH keys now and grep your repos for unexpected .cursorrules or CLAUDE.md files.

Ghost is the open-source publishing platform powering newsletters, university blogs, and indie media sites — think self-hosted Substack. If you've visited a Ghost-powered site in the last few days, there's a real chance you were shown a counterfeit Cloudflare verification prompt designed to talk you into running malware on your own machine.

BleepingComputer reports that a large-scale campaign is exploiting CVE-2026-26980, a critical SQL injection in Ghost CMS, to inject malicious JavaScript that triggers ClickFix attack flows. Researchers at Qianxin's XLab have confirmed compromise on more than 700 domains — university portals, media outlets, fintech firms, and SaaS companies — with Harvard, Oxford, Auburn, and DuckDuckGo named among confirmed victims.

The mechanics are uncomfortably elegant. Without authentication, an attacker reads the database through the Content API blind injection, pulls the Admin API Key, and uses it to rewrite articles in bulk. Visitors who pass a fingerprinting check get served a fake Cloudflare prompt in an iframe, telling them to "verify they are human" by pasting a command into a Windows terminal. The command drops a payload. The campaign is large enough that compromised sites have become ClickFix delivery infrastructure rather than isolated breaches.

SonicWall rates this CVSS 9.4 and two public PoCs already exist. Affected versions span Ghost v3.24.0 through v6.19.0 — a punishing window. The fix is v6.19.1. If you run Ghost, patch, rotate your Admin API keys, and inspect article bodies in the database for injected