ShapedPlugin supply-chain attack backdoored Pro plugin updates, stealing credentials and 2FA secrets
Between April and June 2026, attackers compromised the build and distribution pipeline of ShapedPlugin, a WordPress plugin vendor, injecting backdoors into Pro plugin updates. The malicious updates deployed malware that steals credentials, including two-factor authentication (2FA) secrets, and grants attackers full site access. The infection involves a loader that installs a disguised fake plugin with a REST API backdoor, webshell, and hardcoded admin login bypass. The attack targeted paying customers via official update channels, while free plugins remained clean. Site owners who installed or updated ShapedPlugin Pro plugins during this period should immediately scan for infections, rotate credentials, and revoke 2FA secrets.
AI Analysis
Technical Summary
Attackers compromised ShapedPlugin's build and distribution pipeline, injecting backdoor code into Pro plugin updates distributed through official licensed update channels between April and June 2026. The backdoor loader downloads a payload that installs a fake plugin disguised as a WooCommerce-related plugin, hides itself from the admin interface, registers a REST API backdoor allowing arbitrary file writes, bundles file and database management tools, and installs a webshell with command execution capabilities. A hardcoded MD5 hash allows attacker authentication as any administrator without a password. The malware specifically targets two-factor authentication by exfiltrating TOTP seeds to an attacker-controlled domain, enabling bypass of 2FA protections. The compromise was confirmed by Wordfence after obtaining a backdoored plugin from the official update endpoint. The attack is a supply chain compromise affecting at least three Pro plugins: Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro. The vendor's free plugins on WordPress.org were not affected. The attack infrastructure is linked to entities tied to Russia. The compromise was automated within a narrow time window, consistent with a CI/CD pipeline breach. The attack demonstrates the evolving threat of supply chain attacks in WordPress ecosystems.
Potential Impact
The attack results in full site compromise for affected WordPress sites using ShapedPlugin Pro plugins updated between April and June 2026. Credentials including WordPress admin passwords, database credentials, API keys, and critically, two-factor authentication secrets (TOTP seeds) are stolen and exfiltrated to attacker-controlled infrastructure. This enables attackers to bypass 2FA protections and maintain persistent unauthorized access. The malware also provides attackers with remote file management and database access via bundled tools and webshells. Legitimate update channels were used to distribute the backdoored plugins, meaning site owners following best practices were still compromised. The attack affects hundreds of thousands of websites worldwide using these plugins.
Mitigation Recommendations
No official vendor advisory or patch information is provided in the input data. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Affected site owners should immediately scan their WordPress installations for the presence of fake plugins such as 'woocommerce-subscription' or 'woocommerce-notification' under wp-content/plugins/. All WordPress administrator passwords, database credentials, and API keys should be rotated. Critically, all two-factor authentication secrets (TOTP seeds) must be revoked and regenerated for every user, as existing seeds are considered compromised. Site owners should monitor for unusual activity and consider restoring from backups prior to April 2026 if possible. Follow official vendor communications for updates and patches.
ShapedPlugin supply-chain attack backdoored Pro plugin updates, stealing credentials and 2FA secrets
Description
Between April and June 2026, attackers compromised the build and distribution pipeline of ShapedPlugin, a WordPress plugin vendor, injecting backdoors into Pro plugin updates. The malicious updates deployed malware that steals credentials, including two-factor authentication (2FA) secrets, and grants attackers full site access. The infection involves a loader that installs a disguised fake plugin with a REST API backdoor, webshell, and hardcoded admin login bypass. The attack targeted paying customers via official update channels, while free plugins remained clean. Site owners who installed or updated ShapedPlugin Pro plugins during this period should immediately scan for infections, rotate credentials, and revoke 2FA secrets.
Reddit Discussion
Attackers backdoored ShapedPlugin Pro updates, deploying malware that steals credentials, 2FA secrets, and grants full site access.
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Attackers compromised ShapedPlugin's build and distribution pipeline, injecting backdoor code into Pro plugin updates distributed through official licensed update channels between April and June 2026. The backdoor loader downloads a payload that installs a fake plugin disguised as a WooCommerce-related plugin, hides itself from the admin interface, registers a REST API backdoor allowing arbitrary file writes, bundles file and database management tools, and installs a webshell with command execution capabilities. A hardcoded MD5 hash allows attacker authentication as any administrator without a password. The malware specifically targets two-factor authentication by exfiltrating TOTP seeds to an attacker-controlled domain, enabling bypass of 2FA protections. The compromise was confirmed by Wordfence after obtaining a backdoored plugin from the official update endpoint. The attack is a supply chain compromise affecting at least three Pro plugins: Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro. The vendor's free plugins on WordPress.org were not affected. The attack infrastructure is linked to entities tied to Russia. The compromise was automated within a narrow time window, consistent with a CI/CD pipeline breach. The attack demonstrates the evolving threat of supply chain attacks in WordPress ecosystems.
Potential Impact
The attack results in full site compromise for affected WordPress sites using ShapedPlugin Pro plugins updated between April and June 2026. Credentials including WordPress admin passwords, database credentials, API keys, and critically, two-factor authentication secrets (TOTP seeds) are stolen and exfiltrated to attacker-controlled infrastructure. This enables attackers to bypass 2FA protections and maintain persistent unauthorized access. The malware also provides attackers with remote file management and database access via bundled tools and webshells. Legitimate update channels were used to distribute the backdoored plugins, meaning site owners following best practices were still compromised. The attack affects hundreds of thousands of websites worldwide using these plugins.
Mitigation Recommendations
No official vendor advisory or patch information is provided in the input data. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Affected site owners should immediately scan their WordPress installations for the presence of fake plugins such as 'woocommerce-subscription' or 'woocommerce-notification' under wp-content/plugins/. All WordPress administrator passwords, database credentials, and API keys should be rotated. Critically, all two-factor authentication secrets (TOTP seeds) must be revoked and regenerated for every user, as existing seeds are considered compromised. Site owners should monitor for unusual activity and consider restoring from backups prior to April 2026 if possible. Follow official vendor communications for updates and patches.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":38,"reasons":["external_link","newsworthy_keywords:backdoor","established_author","recent_news"],"isNewsworthy":true,"foundNewsworthy":["backdoor"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a3a7762eed863c81ef3f95c
Added to database: 06/23/2026, 12:09:06 UTC
Last enriched: 06/23/2026, 12:09:34 UTC
Last updated: 06/23/2026, 15:09:09 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.