🎓 Global universities
🚨 Active malware
Harvard, Oxford and DuckDuckGo Hacked: If You Visited Their Site, You May Have Installed a Virus Without Knowing
More than 700 reputable websites were hacked — including Harvard University, Oxford University and DuckDuckGo. These sites displayed a fake Cloudflare verification window asking visitors to run a command on their computer. Those who followed the instructions installed malware themselves without knowing it. The campaign is still ongoing. If you visited any of these sites in May 2026 and saw this popup — read this now.
700+
Websites hacked across 30+ countries
9.8/10
Vulnerability severity score — "Critical"
0
Malicious click needed — the victim infects themselves
🏫 The most notable victims
The campaign is indiscriminate — hackers hit global universities, search engines, blogs and tech companies alike:
🎓 Harvard University
🎓 Oxford University
🎓 Auburn University
🔍 DuckDuckGo
🤖 AI/SaaS companies
📰 Online media
💰 Fintechs
📝 Personal blogs
😱 The ClickFix technique — you infect yourself
What makes this attack particularly vicious is its technique. Hackers don't need to exploit a flaw in your computer. They manipulate you into infecting yourself — this is called a "ClickFix" attack.
⚠️ Here's what the fake popup looked like
Cloudflare — Security Verification
Unusual activity has been detected. Please verify that you are human by following these steps:
1. Press Windows + R
2. Paste the command below
3. Press Enter
1. Press Windows + R
2. Paste the command below
3. Press Enter
powershell -exec bypass -c "iex..."
✓ I am not a robot
🚨 This is a scam! Never paste a command copied from a website into your terminal or command prompt.
Cloudflare will never ask you to run PowerShell or Terminal commands. If you see this type of popup on any website — close the tab immediately.
🔍 How did the hack work?
The exploited flaw is called CVE-2026-26980 — a critical SQL injection (score 9.8/10) in Ghost CMS, a blogging platform used by over 100,000 websites worldwide. The patch had existed since 19 February 2026, but hundreds of administrators hadn't installed it.
- An attacker sends a single HTTP request to the site — no account, no password needed
- The flaw gives them access to the site's admin API keys
- They then inject malicious JavaScript into all articles on the site
- Visitors see the fake Cloudflare popup and, if they follow the instructions, install malware
🚨 What the malware did once installed
- Password theft saved in your browser
- Session cookie theft — access to your accounts without a password
- Keystroke logging — everything you type is captured
- Remote access — the hacker can control your PC
- File theft — documents, photos, personal data
⚠️ Why DuckDuckGo is particularly shocking
- DuckDuckGo is the "private" search engine — used by those who distrust Google
- Its users trust the brand — they're less suspicious of a popup on this site
- It was DuckDuckGo's blog that was compromised, not the search engine itself
- Cruel irony: those most concerned about their privacy were the most targeted
✅ What you should do now
✅ If you visited these sites in May 2026
- Run a full antivirus scan with Malwarebytes (free) or Bitdefender
- Change your important passwords from another device — email, bank, social media
- Sign out of all devices on your important accounts (option available in settings)
- Check the sign-in history of your accounts — any login from an unknown location or device is suspicious
💡 The golden rule to remember for life
- Never, ever will a website popup ask you to paste a command into your Windows or Mac terminal
- Cloudflare, Google, Microsoft or your bank will NEVER ask you to run PowerShell or Terminal code to verify you
- If you see this type of popup — close the tab immediately
- Share this rule with your parents and grandparents — they are the most vulnerable to this manipulation
❓ Questions fréquentes
If you visited a website in May 2026 and saw a Cloudflare verification popup asking you to paste and run a command in your Windows terminal or command prompt, you are probably infected. Run a full antivirus scan immediately with Malwarebytes or Bitdefender.
More than 700 sites were compromised, including Harvard University, Oxford University, Auburn University, DuckDuckGo, AI and SaaS companies, media outlets, personal blogs and fintech sites. The campaign hit sites in more than 30 countries.
ClickFix displays a fake popup perfectly imitating the Cloudflare interface and asks the user to paste a command into their computer to "prove they are human". The victim runs the malware themselves. The antivirus detects nothing — the user launches the infection.
The hack affected DuckDuckGo's blog, not the search engine itself. Your DuckDuckGo searches are not compromised. However, if you visited blog.duckduckgo.com in May 2026 and followed the popup instructions, run a full antivirus scan.
💡 Vous aimerez peut-être aussi
Did you see this popup and have concerns?
Describe the situation to CyberGuard — it will guide you step by step to check if your PC is infected.
🤖 Talk to CyberGuard →📖 Complete guide — Protect Your Family Online
30 pages · Malware, phishing, scams · Instant PDF