Agents
WordPress Plugin Supply Chain Attack Resurfaces: 30+ Plugins Backdoored for 8 Months, Activated April 5
Fireship's coverage brings renewed attention to the April 2026 WordPress supply chain attack: an individual purchased 30+ plugin codebases in August 2025, injected PHP deserialization backdoors disguised as compatibility updates, and activated them April 5-6. The malware served SEO spam exclusively to Googlebot while appearing normal to humans. WordPress.org removed 25+ plugins in a single day on April 7. The 8-month dormancy period between injection and activation represents a new benchmark for supply chain attack patience.
Source
↳ Follow the thread