Sign in Subscribe
Featured Featured

Security Alert: SRA Blog False Captcha

Ben M

2 min read
Share

On Wednesday, May 20th the SRA Technology Department received a report of a suspicious "captcha" or verification prompt on this blog. It asked users to enter text into a command prompt with a message similar to this one:

We'd recommend anyone who entered the commands described in the captcha (or who cannot recall if they did) immediately take the following precautions:

  • Change any and all passwords (to resolve any data exfiltration), especially passwords stored on the device (through browser or third-party password managers or in files).
  • Use the "log out of all other devices" option on services that offer it (to resolve any session hijacking).
  • Ensure Windows Defender is enabled and up to date.
  • Run a deep scan with a tool like MalwareBytes Anti-Malware.
  • Run a second scan with another tool such as Microsoft Safety Scanner or Google Chrome Cleanup tool.
  • If possible, reinstall Windows (to potentially remove a persistent threat).
  • Closely monitor all financial records for suspicious activity.

There are third party identity protection and monitoring services that can assist as well. These may be worth pursuing especially if you are confident you entered the command, have noticed suspicious activity, or are unable to follow the precautions above.

As far as the Technology Department is able to determine, the attack would only affect Windows devices and Windows installs on other devices.

As always, it is best practice never to run or enter commands from the internet and regularly change critical passwords.

The incident was resolved within twelve hours of identification, but there are always opportunities for improvement, from the speed of that initial identification to our internal update cycle and security practices to the timing of this communication itself. We apologize to any members, and indeed anyone, who may have been affected and have already taken steps to prevent any similar issues in the future.

A summary of the original Technology Department report on the incident:

On Wednesday, May 20th we were informed of a malware injection on https://blog.socialistra.org. Investigation of the situation revealed the following:

ghost bug allowed data exfiltration via a SQL injection in the content API. Beginning on 2026-05-08 this vulnerability was used to acquire an automatically generated Zapier API key. Using this key, attackers were able to inject a script into every post on https://blog.socialistra.org that caused a malicious captcha to appear for readers and instruct them to paste a command. We have no information about how many page views may have been served this captcha.

The Technology Department was notified of the breach at 10:54 AM PST. By 7:14 PM PST the cause had been identified, software had been updated, keys regenerated, and every post had been manually edited to remove the script injection code. An audit was then done to confirm no other changes had been made via that Zapier API key.

Ghost as a platform has become increasingly popular, and with that popularity comes higher risk when vulnerabilities are discovered. Since 2021 we have been slow to update it and did not incorporate it into a regular update schedule. That has changed. Many reports of similar attacks were found in the course of researching this situation.

As very similar things have happened to other Ghost blogs we do not believe this was targeted.

Sign up for more like this.

Enter your email
Subscribe