Feed aggregator

Article URL: https://economy.ac/news/2026/05/202605289199

Comments URL: https://news.ycombinator.com/item?id=48278360

Points: 2

# Comments: 0

Has a Kanban view and a timeline view, which are also mixed together in a TODO list with a smart sorting.

Prioritized tasks are interleaved with scheduled ones.

The philosophy being explored is that there is a big overlap between calendar items and todo items, and calendar items never happen exactly as scheduled.

Scheduled items gets converted to "Doing" state automatically at the start time.

Try it here: https://joexo.codeberg.page/myday/

Comments URL: https://news.ycombinator.com/item?id=48278355

Points: 2

# Comments: 0

Hardcoded machineKey values in a configuration file enabled ViewState deserialization attacks leading to remote code execution.

The post Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell Deployment appeared first on SecurityWeek.

Dodge installation fees and take security into your own hands with these super smart security kits.

Register to enjoy free access and explore the tools, strategies, and frameworks needed to build a resilient security program for a world where every minute counts.

The post Watch on Demand: Threat Detection & Incident Response Summit – All Sessions Available appeared first on SecurityWeek.

Article URL: https://world.hey.com/dhh/basecamp-five-8fcfd2ef

Comments URL: https://news.ycombinator.com/item?id=48277963

Points: 1

# Comments: 0

Article URL: https://dailymurder.com

Comments URL: https://news.ycombinator.com/item?id=48277957

Points: 1

# Comments: 0

Article URL: https://sive.rs/horses

Comments URL: https://news.ycombinator.com/item?id=48277954

Points: 1

# Comments: 0

Article URL: https://www.tooldocket.com/2026/05/skill-to-income-calculator.html

Comments URL: https://news.ycombinator.com/item?id=48277952

Points: 1

# Comments: 0

Article URL: https://news.flinders.edu.au/blog/2026/05/26/ai-speeds-up-discovery-of-next-gen-computer-chips-and-electronic-materials/

Comments URL: https://news.ycombinator.com/item?id=48277949

Points: 1

# Comments: 0

Article URL: https://nltimes.nl/2026/05/26/netherlands-blocks-us-takeover-digid-operator-solvinity-security-concerns

Comments URL: https://news.ycombinator.com/item?id=48277940

Points: 3

# Comments: 0

Article URL: https://www.classes.cs.uchicago.edu/archive/2014/fall/51210-1/required.reading/ITDoesntMatter.pdf

Comments URL: https://news.ycombinator.com/item?id=48277886

Points: 1

# Comments: 0

Attackers are abusing a critical Ghost Content Management System (CMS) vulnerability to hijack more than 700 legitimate websites and inject a fake Cloudflare verification step that tricks visitors into running a Windows command that installs malware.

These social engineering campaigns—where website visitors are tricked into running malicious commands on their systems—are commonly known as “ClickFix” attacks. In this case, cybercriminals turned websites belonging to trusted organizations, including universities and tech companies, into delivery platforms for the malware campaign.

More than 700 Ghost‑powered websites were compromised through a known SQL injection vulnerability tracked as CVE‑2026‑26980. The attackers used this bug to steal administrative API keys and silently inject malicious JavaScript into posts and pages across affected sites.

Researchers found that the injected script loads a second‑stage ClickFix flow, presenting visitors with a fake Cloudflare or CAPTCHA verification dialog.

Example of fake Cloudflare verification

Instead of a normal checkbox, the page instructs users to copy‑paste a command into the Windows Run dialog or PowerShell, effectively tricking them into installing malware on their own systems.

Details for website managers

At the heart of this campaign is a critical SQL injection bug in Ghost’s Content API. The researchers noted:

“Without any authentication, an attacker can directly read the database contents through this vulnerability, including the Admin API Key used to call the Ghost Admin API.”

The vulnerability affects Ghost versions 3.24.0 through 6.19.0 and can be exploited without logging in.

A patched version is now available and should be installed as soon as possible. Not just because of the ClickFix campaign; once attackers steal an Admin API key, they can edit, delete, or create posts, inject scripts, hijack themes, and tamper with user‑facing content in other ways.

How to stay safe

This campaign is likely to be particularly effective because the instructions are framed as harmless technical steps such as “verify you’re human,” “fix your connection,” or “continue to the site.” Worse still, the content appears on websites users already trust.

With ClickFix running rampant—and it doesn’t look like it’s going away anytime soon—it’s important to be aware, careful, and protected.

• Slow down. Don’t follow instructions on a webpage without thinking them through, especially if the page asks you to run commands on your device or copy-paste code. Attackers rely on urgency to bypass critical thinking, and many ClickFix pages use countdowns, fake user counters, or other pressure tactics to make you act quickly.
• Avoid running commands or scripts from untrusted sources. Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. If a website tells you to execute a command or perform a technical action, check official documentation or contact support before proceeding.
• Be cautious when copy-pasting commands. Attackers often disguise malicious payloads inside clipboard text. Typing commands manually instead of copy-pasting them can reduce the risk of unknowingly running hidden malicious payloads.
• Secure your devices. Use an up-to-date, real-time anti-malware solution with a web protection component.
• Stay informed about evolving attack techniques. Cybercriminals constantly adapt their methods, and awareness remains one of your best defenses, so keep reading our blog!

Pro tip: Did you know the free Malwarebytes Browser Guard extension warns you when a website tries to copy something to your clipboard?

Stop threats before they can do any harm.

Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

Article URL: https://delphinightmares.substack.com/p/dbase-is-back-sort-of

Comments URL: https://news.ycombinator.com/item?id=48277860

Points: 1

# Comments: 1

Article URL: https://github.com/NoteDance/parallel-saver

Comments URL: https://news.ycombinator.com/item?id=48277855

Points: 1

# Comments: 0

DockSec, an OWASP incubator project, correlates findings from multiple container security scanners and uses AI to generate plain-English remediation guidance and exact Dockerfile fixes.

The post Open Source DockSec Uses AI to Cut Through Vulnerability Noise in Docker Images appeared first on SecurityWeek.

Article URL: https://www.youtube.com/watch?v=Gk-9Fd2mEnI

Comments URL: https://news.ycombinator.com/item?id=48277821

Points: 1

# Comments: 0

Article URL: http://theoildrum.com/node/5528

Comments URL: https://news.ycombinator.com/item?id=48277811

Points: 1

# Comments: 0

Article URL: https://jstribune.com/china-vs-taiwan-the-geography-of-an-unfinished-war/

Comments URL: https://news.ycombinator.com/item?id=48277805

Points: 1

# Comments: 0

Article URL: https://pluralistic.net/2026/05/26/the-ai-will-continue/#until-morale-improves

Comments URL: https://news.ycombinator.com/item?id=48277784

Points: 4

# Comments: 1