Threats Tagged 'backdoor'

Between April and June 2026, attackers compromised the build and distribution pipeline of ShapedPlugin, a WordPress plugin vendor, injecting backdoors into Pro plugin updates. The malicious updates deployed malware that steals credentials, including two-factor authentication (2FA) secrets, and grants attackers full site access. The infection involves a loader that installs a disguised fake plugin with a REST API backdoor, webshell, and hardcoded admin login bypass. The attack targeted paying customers via official update channels, while free plugins remained clean. Site owners who installed or updated ShapedPlugin Pro plugins during this period should immediately scan for infections, rotate credentials, and revoke 2FA secrets.

An active supply-chain attack targeted over 1.2 million WordPress sites using OptinMonster, TrustPulse, and PushEngage plugins operated by Awesome Motive. Attackers injected malicious JavaScript into legitimate files served through Awesome Motive's CDN endpoints. The malware activates when a logged-in administrator accesses the site, creating backdoor admin accounts (developer_api1 and randomized dev_xxxxxx accounts) and installing a self-hiding PHP plugin. The backdoor provides unauthenticated code execution through a web shell and eval endpoint. Stolen credentials are exfiltrated to tidio.cc, a lookalike domain mimicking the legitimate tidio.com. The breach likely originated from compromised Awesome Motive servers or their BunnyNet CDN account. The campaign began in late April 2026 and remained active through mid-June, affecting OptinMonster (over 1 million installations), TrustPulse, and PushEngage users.

A financially-motivated cybercrime cluster designated CL-CRI-1089 has launched Operation FlutterBridge, deploying FlutterShell backdoor malware targeting macOS systems through malvertising. Built with the Flutter framework, FlutterShell masquerades as legitimate applications including podcast players and PDF viewers, delivering adware with full backdoor capabilities such as shell command execution and file system manipulation. The malware uses a WebView-based architecture with JavaScript-to-native bridge, allowing attackers to dynamically modify behavior without recompiling. Distribution occurs through hundreds of Google-verified advertisements controlled by shell companies including AdsParkPro LTD and Advantage Web Marketing LLC. The campaign primarily targets Anglophone and Western European markets. All samples were signed with valid Apple Developer IDs and successfully passed notarization, achieving zero detections on VirusTotal initially. The malware hijacks Google Chrome browsers, redirecting traffic ...

JSMonoGlyphRAT is a persistent backdoor malware actively targeting US enterprises, primarily delivered via phishing emails disguised as purchase orders, quotes, and business proposals. It has been confirmed to affect organizations in technology, telecom, education, and MSSP sectors. The malware is notable for evading most antivirus detection tools. Once installed, it enables attackers to deploy ransomware, steal data, and disrupt business operations. There is no information on available patches or official remediation. The threat is currently assessed as medium severity based on its impact and targeting profile.

MediumMalwareUnited States#threatintelligence+threatintel+websecurityresearch#reddit#backdoor

On June 1, 2026, multiple npm packages within the @redhat-cloud-services scope were republished with a malicious install-time payload that re-armed repeatedly despite registry purges. The attacker exploited GitHub Actions workflows to produce valid signed SLSA provenance and npm audit signatures, bypassing typical trust mechanisms. The malware uses a GitHub commit-search based command-and-control (C2) dead-drop, avoiding hardcoded hosts. It activates only in CI environments and quickly attempts to steal credentials such as AWS, SSH, Git, and Docker config files. Detection is possible by monitoring package integrity and behavioral checks at publish time. No official patch or remediation guidance is provided in the source data.