[goopthink]

OP/author here! Apologies about the malware and captcha. It looks like my site was exploited by CVE-2026-26980 affecting all Ghost sites pre v6.19 [1][2] An API key was hijacked to inject malicious JS into every page that looks like a cloudflare captcha; it seems that the JS only targeted windows users, so I didn't catch it before I shared the post widely.

The site has been upgraded to 6.44 to close the vulnerability, I rotated every API key and account credential, and both manually and programmatically scrubbed every instance I could find of the code injection across the database. I think we're clear now!

Sorry to anyone caught by this and thank you to folks for flagging it (and thanks to the HN team for letting me follow up on this after comments were closed). I'm seriously mortified. X_X

[1] https://github.com/TryGhost/Ghost/security/advisories/GHSA-w... [2] https://www.securityweek.com/ghost-cms-vulnerability-exploit...