AI Scam Renaissance - How Claude Got My Ghost Website Hacked

Hey everyone it's been a while since my last post about winning a game jam. I've been spending most of the time trying to figure out how to bring the game we made, Rulehouse to market. This means making social accounts, holding meetings, writing blogs, coding, doing art, etc etc. It's been a lot of fun, but this post is about how in the midst of all the game development chaos, I noticed that my Ghost site was hacked. I even made the joke: I wonder if this is the Claude Mythos effect. This blog is how I figured out it actually probably was.

My Website was Hacked

And I mean completely hacked. The good thing is that I wasn't hosting any sensitive information on the site, but peoples emails who did sign up for my newsletter were most likely leaked. Firstly, I've fixed the issue now, the site is up and running and I've taken measures to future proof it, so I'd like to apologize that anything leaked in the first place, but also reassure everyone that this won't happen again at least in the same fashion.

But what really did happen? Well, be warned this will get technical, I use Ghost an opensource blogging software for my website and I used to host the site on a digital ocean droplet, aka I rented space on a server from the company, digital ocean. This basically meant I was only paying digital ocean around $12 a month for a website of my size and it was a fun way for me to learn how to host one's own site. Win win, I thought. But the night of June 1st, me and my friend Ian were in discord chatting as he was writing some social media posts for the game and when he was trying to link to my site he realized it was broken. I thought that was weird since my site shouldn't automatically update any software so nothing should just break like that without me doing anything. That was the first red flag in hindsight. Later on that Wednesday, June 3rd, I decided to actually take a look myself at the site and I opened it up.

I again thought it was weird, but didn't realize that I was hacked until I clicked on a link and saw this.

It's a scam captcha with short instructions to get the user to copy some code into a terminal and execute it. What that executed code would do, I think we can guess something along the lines of compromising your computer. Now this scam seems rather obvious when you combine it with the broken white background. Clearly something was off. So how did this happen and who would take the time to do such a terribly executed hack?

Well the answer is pretty interesting. I shut down the site after discovering this and went in to figure out if I could recover my data and how I was hacked. Now I'm not a cyber security forensics expert, but I know enough about how to use google and AI that I found the captcha scam was done by injecting the code into the 'footer' of each and every page and post on my website via the Ghost mySQL database. It was officially called SQL Injection and a known exploit as documented on the ghost forums here and with the github security advisory here that involved using the public Zapier API key each Ghost instance has. The issue was the API key was given an overly wide set of permissions to read and write anything directly into your ghost database. Seemingly I actually got off lucky as I found this post in the ghost forums, where someone had all their posts and pages deleted. This exploit provides that extent of access.

But it's not too hard to clean up if it's only footer-injected captchas. So I was able to go into terminal and remove them all then export and backup all my posts. In addition, I also used WinSCP to go in and grab all the images and media from the site too. So no lost data.
But that still leaves how did the website break visually? That database exploit shouldn't have broken the styling, it should've just allowed them to change posts, inject their captchas, and modify the database right?

You can see in the screenshot above that the theme 'edition', this is the theme that made my site white and terrible. It was 'changed' on May 30th as you can see and it was also not so coincidentally created on May 30th by a hacker. I never installed this theme, nor did I update ghost, but how could the hacker install a theme? They couldn't have used SQL injection since this is file creation not just a database change. But this is most likely also done with the same Zapier exploit we've been talking about. The hackers potentially used the theme upload API endpoint with the Zapier API key that had too much access. As far as I could tell they just made this theme and switched to it. It didn't seem to have any malicious code in it? I wondered for a moment if it was a white hat hacker that was trying to alert people that they could be hacked, since it didn't do anything. But there is also another security advisory in github for remote code execution via malicious themes. So maybe this was a failed attempt or a successful one I didn't recognize of using the API key to inject and use such a malicious theme. I wasn't able to get answer here. But regardless of my circumstance, potentially someone could use this exploit to download and switch to a malicious theme then use that to do remote code execution to take control of the entire server and do whatever they want with it. If your server was your home computer, they'd have access to everything on it.

So very very bad stuff here.

Who would do this?

Well it's not one person or group that's very clear. I was only able to retrieve API key usage back to May 22nd, but via nginx logs we can tell the first compromise was actually on May 17th. This bug was found and patched in February for context. Since just the 22nd of May there were about 48,000 API requests from suspicious IPs. These API requests ranged from UAE, Germany, and Malaysia. The Malaysian IP doing 42,000 of the requests and the German IP being responsible for the hacked captcha injection. Though a VPN can easily move your IP anywhere these days so there's no guarantee of where the hackers were actually from. But it's fair to say that I was systematically targeted by bots that were doing thousands of API requests and likely it was a large scale hacking venture by many different groups to target not just me, but all sorts of Ghost based sites using this vulnerability.

The Crux

So this hack is actually an exploit found by Nicholas Carlini, who is "studying what bad things you could do with, or do to, language models" and working for Anthropic. How do I know this? The Ghost github security advisory for this exploit literally mentions Nicholas and Claude by name as the source of the issue. His site, https://nicholas.carlini.com/, says he works for Anthropic. His Wikipedia page says he's associated with Anthropic and this post on Anthropic's site about creating a C compiler with agentic Claudes clearly names him as the writer and someone who works for the company.

Not doxxing this guy, nor do I think he did anything wrong in the slightest. Just proving beyond reasonable doubt that this exploit that was used to hack my site was found by an engineer at Anthropic using Claude. Whether this is a Mythos thing, is still unknown, but it's crazy that my joke came kind of to fruition here.

Importantly, Nicholas found this hack first and it was used retro-actively by hackers, not the other way around. It was found, fixed, and reported in February and three months later in May that finding opened the door for the mass hacking of Ghost sites. Now you may say this is totally your fault, you had three months to update and didn't, which is true in a sense. I'm not a cyber security guy or a system admin and to make things worse, I'm also a known skeptic of updates. I'm a dude who wanted a blog and decided to take a cheap route: pay digital ocean to give me a Linux server that already had ghost installed. Most people if they took this route, wouldn't even need to 'ssh' into the server to update posts and send emails as ghost has a really nice admin UI portal that you can access in browser.

Also Ghost is marketed as a replacement for wordpress and other similar software, so I can imagine that lots of non-technical or slightly technical people deciding to use it as a cheaper alternative in the last several years. So the exact audience that uses Ghost is one that would likely not be updating Ghost or paying attention to software vulnerabilities in their patch notes or security advisories on their github page. That is to say I really think that making a more public disclosure isn't only a bad idea, it's important. They need a better way to go to their users and tell them first or even in a timely manner that if they do not install this update, all their data might be deleted and personal information could be leaked.

The Steelman - There was disclosure

In this situation I understand that it's very hard as ghost isn't a platform but an open source software. But according to the post about this exploit on the forums Ghost does do this via a 'check update' service. The service is supposed to be like Mastodon in the way it emails admins about the host version needing critical security updates, but I never found or received any such emails. The server does need to have the transactional email system working for it to send the emails. Mine was working since this hack actually compromised my Mailgun account that I was using to send emails on May 26th. I got an email from Mailgun telling me so much.

I also made a post in March about the game jam win that was sent out via Mailgun on my site, so I have no reason to believe it wasn't functioning in February. Also the critical system update emails are supposed to be enabled by default. A default, I definitely did not change. So if that service actually did work then great, that could and would be a solution to this issue, but it didn't work. I didn't get an email and seemingly many others on the forums didn't either. This was disclosed in github in a way that I or many other users wouldn't see it which made it more actionable to the hackers. They took the three months, learned how to use the hack then did it. To top it all off, this was exploit found by literally someone working for Claude, who as a professional, I will assume disclosed this issue to Ghost with plenty of time to fix it before he made any public statements about it. So they had time to make sure this was conveyed correctly, which I believe makes my criticism all the more valid and biting. They even have a changelog blog and didn't post anything about it at the time about the existence of this critical issue. The patch was made the same day as the security advisory on February 16th, a good practice but why not broadcast it?

I'm very lucky my data and site were fine, but I can imagine many people still aren't even aware this is happening. It is not a good look for Ghost or for the security of our systems in general.

Where to go from here?

Well this is an arms race, AI is finding exploits that are pretty bad and companies are patching them, but if you're not clued in, you're going to get hacked. It is more important than even if you're hosting something yourself to update it. We're looking primarily at ghost here. But out of 26 security advisories on github since 2021. Sixteen of them are from this year and eight of them are from two days before I wrote this post. Take a look yourself.

All these recent tickets are not found by Claude but Cyber Security enthusiasts/professionals using AI. The most recent 'critical' one being found by github user named CryptoCat and he talks about it on his site where he says verbatim "[A]I was looking through Ghost's frontend theme stack for sinks that interpolate site settings directly into HTML..." His AI-found exploit allows for hackers to do complete account takeovers by creating new administrator invites. There are also several exploits found by LakshmiKanthan K, a github user who self-describes as an AI & CyberSec Engineer. So it's fair to say these are advisories for exploits found using AI.

Now ghost is open-source so it's easy to find exploits on when you can stare at the insides of something, so I believe this is ground zero for the burgeoning AI cyber security arms race or scam renaissance as I said in the title. My opinion is this will eventually play out on many different softwares with drastically less transparency. There are many many many old systems and sites that are not being updated in a three month time frame and are liable to be hit. Not just ghost sites, but we've heard that AI can refactor COBOL. Just imagine AI hackers pointed at our banking infrastructure. Not a great thought.

And to put an even finer tip on that point, Claude Mythos was determined so powerful at finding cyber security vulnerabilities that it was distributed only to select private companies in an effort dubbed Project Glasswing by Anthropic. This was so they could patch these issues before they got mass hacked.

But it's far too late for us to do anything about it personally, since AI is here and it is finding holes in software and entering them. So do yourselves a favor and update and backup anything that's dear to you and hold on since this is going to be a rocky ride. But a final message to Ghost and software that intends to target tech laymen in general, please find ways to tell users that these issues are happening in a clear and consistent way so that this doesn't need to keep happening.

Nicholas Carlini's Lecture

I'm writing this after finishing the blog and I had a thought, maybe Nicholas wrote something about this incident? So I searched 'Nicholas Carlini Ghost' to see. What I learned was that not only were there linkedin and X posts about this finding in general but he did a freaking lecture at a conference on it. I am not kidding you. My site was hacked two months after a lecture in March on the exact same hack was given by a researcher at Anthropic at the 'unprompted' AI conference and then posted on Youtube. The video has been watched by 300,000+ people. This must've been embarrassing to Ghost, which had a great cybersecurity record up to this point, as Nicholas even mentions in the talk (around 6:20). And as an aside, I have to say if you read this post to this point, watch this lecture, do not skip it, it is much more interesting and important than this anecdote. But it is also the nail in the coffin of the massive PR clusterf*** that Ghost failed to alert its users to a hack that hundreds of thousands of people listened to a lecture about. The asymmetry of a self-hoster of Ghost knowing nothing compared to hackers who could follow a lecture from a PhD about the exact hack is insane. Ghost should not be ashamed of the hack existing but at the critical inability to tell its users and letting something this well known still come back to bite its users.

Not to mention that this talk may have drawn Ghost to the attention of cyber security hobbyists that are looking at it as a great way to get some more resume material by finding exploits. It's clear to me now that the increase in Ghost-specific exploits is not just AI driven but is specifically driven by the popularity of the video. This means more critical issues, more vectors of attack found all with poor communication to its users, leaving them exposed. Scam renaissance.

The Irony and Personal Note

I'm glad this hack is over for me at least. Fixing this was really an annoying distraction from my normal game development work and blogs, but I thought it was a crazy story so I felt compelled to write about it. The irony is that I decided to buy Ghost Pro (I did this before I found the lecture by the way) so that my site auto updates as I cannot be bothered by managing my own server anymore after this. Especially with the amount of exploits coming out right now. I might go back to self-hosting after this dies down in a couple years or migrate to some other software, but for now their lack of disclosure actually made me buy their stuff. It hurts my soul deeply that I'm paying them after this massive screw up. But I have a game to ship and I can't tarnish my brand by having a site that is serving people hacked captchas and I don't have the will to migrate to a different software yet at least.

Let me say this: Ghost please do better at alerting your users, especially self-hosters, this is unacceptable and it's going to keep happening. I also know that this impacted only people who did not pay Ghost for hosting, so it might be viewed as acceptable from that perspective. I'm here to say that's not true. Ghost's main appeal over its competitors is its ability to self host, which is being undermined by this scandal (which is a fitting word in my mind at this point).

That being said... I can hardly write this without laughing after all that, if you want to check out my site, Dalichrome or check out this page I just launched which is like a link tree for all my socials relating to my new game on my un-hacked site, I'd really appreciate it. But I am so glad to be going back to normal game development and I hope you guys stay safe in this crazy environment whether it be out in the cyber or the physical world, this is one rocky year.

Update - The USA Bans Claude?

The United States Government on 6/12/26 just put export controls on Claude Mythos 5 and Claude Fable 5 models so that they can't be used by foreign nationals in or outside the states. This effectively banned these models from use and Claude has shut them down (source). Claude made a statement about it here.

As I mentioned above, these models are marketed as state of the art cyber security models. A ban of them is a clear statement that the government is scared of the cyber security consequences of this. As you read earlier I am clearly in favor of a more thoughtful deployment of this technology to prevent anecdotes like mine or worse. But this was a stupid way to do it, not that I'm surprised though.

I just thought I had to include something about this. As the model that likely found the exploit that was used to hack my site was just banned by the United States Government. Makes you think.