GrayscaleInsight GrayscaleInsight

Databasehooligan Breach Spree Meets Ghost CMS Mass Exploit

Events tracked
170
Critical exposure
71

Summary

The day's volume came less from ransomware than from high-throughput database dumping and opportunistic web exploitation -- a reminder that the larger exposure for most organizations now runs through third parties, content-management software, and the package ecosystems their code depends on. The actors filling forums with stolen records are recycling exposed credentials and vendor access faster than any single ransomware brand can extort, and the most damaging activity of the day touched shared infrastructure that fans one compromise out across thousands of downstream sites.

Today's developments

A single actor, Databasehooligan, accounted for the bulk of the day's breach claims, posting 27 alleged database compromises across Europe and the Americas. The targets spanned German higher education (the University of Cologne and the University of Osnabruck), Hungarian platforms (the Vatera marketplace, One Hungary telecom, and the Jogpontok legal service), Greek retail (Kotsovolos and bbq.gr), Finland's Jimm's PC-Store, Brazilian e-commerce and veterinary sites (Pichau and VetSmart), Canadian manufacturers (Broil King and Grainger Canada), Belgium's mysocialsecurity.be government portal, and the Bangladesh Election Commission.

Other actors pursued higher-profile single targets. The BlackH4t MD-Ghost claimed a breach of the cryptocurrency exchange Coinbase, while ~ C10F./x404 advertised data it attributed to the US Central Intelligence Agency alongside claims against Indonesia's Team RRQ e-sports organization and a regional cellular carrier. mosad claimed to have breached Russia's GRU military-intelligence service, FAD Team named Saudi Arabia's Ministry of Interior, ShenChuyi88 claimed the Sri Lanka Army, and Skull1172 posted data it said came from the Buenos Aires City Police. On the leak side, KARAWANG ERROR SYSTEM claimed records from the insurance broker Marsh and privilege claimed Telkom Indonesia. Ransomware claims clustered under DragonForce (12 posts), while distributed-denial-of-service activity was dominated by Keymous Plus and the pro-Russian NoName057(16).

External reporting pointed to the more systemic threats. A critical Ghost CMS flaw, CVE-2026-26980, was exploited to hijack more than 700 websites -- including those of Harvard, Oxford and DuckDuckGo -- to inject JavaScript for ClickFix social-engineering attacks. The software supply chain absorbed several blows at once:

  • The "Megalodon" campaign infected more than 5,500 GitHub repositories with fake automated commits that planted GitHub Actions workflows to steal credentials, CI secrets, keys and tokens.
  • The cross-ecosystem "TrapDoor" campaign distributed credential-stealing malware through npm, PyPI and Crates.io, and the Laravel-Lang packages were separately poisoned within a 15-minute window with backdoors that exfiltrate CI secrets.
  • North Korea's Lazarus Group was observed deploying a memory-only RAT, RemotePE, against financial and cryptocurrency firms, and Mandiant detailed active exploitation of the KnowledgeDeliver platform through a ViewState deserialization bug.

Healthcare and legal data breaches surfaced through disclosures rather than forum posts: DocketWise reported a breach affecting 143,000 people that exposed Social Security numbers, financial and medical data, and Radiology Associates of Richmond disclosed a breach affecting 266,000. Separately, Anthropic said its Mythos system had flagged some 23,000 potential vulnerabilities across 1,000 open-source projects.

Threat landscape signals

Activity was highly concentrated: the three most active groups -- Databasehooligan, Keymous Plus and NoName057(16) -- together accounted for roughly 60 of the day's 170 events, or about a third. Data breaches and leaks (71 events) outweighed DDoS (46) and ransomware (20), confirming that bulk data theft, not extortion, drove the day's raw volume. Government administration was the single most-targeted sector (29 events), ahead of IT services and e-commerce (12 each), while the United States led victim countries (27), with Morocco and Italy also heavily represented -- much of that non-US volume reflecting hacktivist DDoS and defacement rather than data theft.

The through-line worth acting on is infrastructure leverage. The Ghost CMS exploit, the Megalodon and TrapDoor supply-chain campaigns, and the Laravel-Lang poisoning each turned a single compromise into thousands of downstream victims, and the prolific database actors trade on reused credentials and third-party access. Dependency inventories, vendor-access reviews, and prompt patching of internet-facing CMS and developer tooling will blunt more of this activity than tracking any individual ransomware brand.

All incidents are reported as alleged claims by threat actors and have not been independently verified by GrayscaleInsight.

Threat intelligence is reported for security awareness purposes only and does not constitute endorsement of any actor, group, or activity.

Recent editions
24 May
Scattered LAPSUS$ Hunters Posts Defence-Database Sale Sweep
164 ev 86 crit
23 May
Pro-Russian DDoS dominates; Lazarus hits Tashkent education
140 ev 58 crit
22 May
Iranian APT Hits Defense as KimWolf DDoS Operator Arrested
182 ev 67 crit