ASH MERIDIAN Campaign Targets Journalist Credentials at Major Newsrooms, Defenders Say

ASH MERIDIAN Targets Newsrooms

A cyber threat group that defensive researchers have designated ASH MERIDIAN is conducting a credential-harvesting campaign against journalists and editors at major national news organizations, according to two incident responders at Fortune 500 firms familiar with the investigation. The campaign, active since mid-January 2026, uses fake freelance collaboration invitations sent from compromised accounts on established contractor platforms, the responders said.

The goal of the operation is to gain access to internal editorial systems, pre-publication drafts, and reporter contact lists, according to a federal cybersecurity contractor familiar with the investigation. The contractor said the activity has been observed at broadcast networks, wire services, and several large metropolitan newspapers. The campaign does not appear to rely on unpatched software vulnerabilities, the contractor said, but instead exploits trusted workflows between newsrooms and external contributors.

The fake invitations typically reference an urgent story or editorial project and direct recipients to a malicious landing page that mimics a legitimate collaboration platform, the incident responders said. Victims who enter credentials are prompted to approve an OAuth grant for a fake application named Editorial Bridge or Press Sync, the responders said. Once granted, the application can access email, cloud storage, and internal chat channels.

One incident responder said the campaign has affected at least a dozen newsroom accounts since Jan. 15, with a notable increase in volume during the final week of January. The responder said the activity is expected to intensify around Feb. 12 through Feb. 14, coinciding with major political events and earnings releases that create high-volume newsroom traffic.

Sector-Wide Defensive Response

Security teams at multiple media companies have begun coordinating through an industry information-sharing group, according to a CISO briefed on the activity. The CISO said member organizations are auditing all accounts tied to freelance platforms, reviewing OAuth grants for editorial applications, and enforcing multi-factor authentication on content management systems. The CISO requested anonymity because the discussions involve active incident response.

The federal cybersecurity contractor said ASH MERIDIAN's infrastructure overlaps with activity previously attributed to a group that targeted academic and legal publishing organizations in 2024 and 2025. The contractor said the shift toward journalism represents an expansion of targeting rather than a new actor. Researchers have not assigned a nationality to the group, the contractor added.

Two incident responders said the landing pages used in the campaign were registered between Dec. 18, 2025, and Jan. 8, 2026, and use privacy protection services. The responders said the landing pages borrow design elements from widely used editorial tools, including comment and annotation interfaces. The attackers have tailored lure documents to reference actual upcoming stories in some cases, suggesting reconnaissance of public reporting calendars, the responders said.

The CISO said media organizations should treat any unexpected freelance invitation as suspicious, particularly those that arrive outside normal business hours or request elevated platform permissions. The CISO also recommended that security teams revoke dormant OAuth tokens and require re-authorization for any application that accesses editorial email or file storage.

What Newsrooms Should Watch

The campaign poses a particular risk to source protection, the federal cybersecurity contractor said. Access to a reporter's email or messaging account could expose the identities of confidential sources, especially in investigations involving government or corporate subjects. The contractor said one targeted organization discovered that the attackers had searched sent mail folders for keywords related to a pending regulatory story.

Media trade groups are expected to issue a private security bulletin to members on Feb. 9 or Feb. 10, according to the CISO. The bulletin will include indicators of compromise that organizations can use to hunt for related activity, the CISO said. The CISO declined to share those indicators before the bulletin is released, citing operational security.

The incident responders said ASH MERIDIAN has shown patience in its operations, often waiting days or weeks after initial access before attempting to move laterally within a network. The responders said organizations that discover a compromised account should assume the actor has conducted additional reconnaissance and review access logs for the preceding 30 days.

Watch for a potential increase in phishing volume around Feb. 12, when several major news organizations are scheduled to publish embargoed investigations and corporate earnings coverage. Security teams should also monitor for new OAuth applications requesting permissions to editorial platforms and report suspicious domains to the industry information-sharing group.