June 17, 2026
Hackers in fake mustaches
Most of the CVE-2026-4020 attackers are the same client
Turns out the ‘attacker swarm’ was basically one sneaky shopper with a closet full of fake outfits
TLDR: Researchers say the huge wave of attacks was mostly one operation using thousands of fake identities while hunting for exposed passwords and keys. Commenters swung between laughing at the cartoonish disguise game and panicking that one cloud-powered scavenger could rummage through so much of the internet so fast.
The big reveal in this security mess is almost deliciously embarrassing: what looked like hundreds of hackers stampeding toward a fresh WordPress bug may actually have been one giant operation wearing thousands of costumes. Researchers say nearly all the activity shared the same request fingerprint, even while it cycled through 3,299 ridiculous browser identities like old BlackBerry phones, dusty Androids, and browsers nobody has thought about since 2011. Commenters immediately had a field day, comparing it to “one guy with a fake mustache collection” and “the world’s saddest cosplay convention.”
The bug itself was nasty in plain English: a WordPress email plugin could accidentally hand over a giant report packed with mail passwords, service keys, and other secret digital goodies to basically anyone who asked the right way. But the real comment-section drama wasn’t just about the flaw — it was about the scale and style of the scavenger hunt. One camp was furious, saying this proves internet defenders are still playing whack-a-mole while attackers rent huge cloud fleets and vacuum up exposed secrets by the truckload. Another camp was obsessed with the absurdity of the disguise strategy, joking that the attacker was rolling up as a 2010 BlackBerry, a zombie browser, and a museum-phone enthusiast all in one afternoon.
The spiciest debate? Whether this was a genius operation or just proof that the internet is held together by vibes, expired configs, and people forgetting to lock the digital broom closet.
Key Points
- •The article says CVE-2026-4020 in the Gravity SMTP WordPress plugin exposed a REST endpoint that returned a 365 KB report containing SMTP credentials and email-service API keys to unauthenticated users.
- •Of 566 observed IPs probing the vulnerable endpoint, 561 shared the same JA4H HTTP fingerprint, indicating that most of the activity likely came from a single operation.
- •The same HTTP fingerprint was linked to 480,973 requests from 3,158 source IPs across 92 networks and 43 countries dating back to February 19.
- •The operation allegedly rotated 3,299 user-agent strings and scanned 904 paths, focusing mainly on exposed secrets and configuration files such as `.env`, `.git/config`, cloud credential files, Terraform state, and framework diagnostics.
- •The article reports that 87% of the observed traffic came from Google Cloud infrastructure, suggesting a rented or otherwise provisioned cloud fleet rather than a botnet of compromised consumer devices.