The Point: Attackers infiltrated a WordPress plugin provider’s update system and distributed infected versions to subscribers.
Multiple WordPress plugins from ShapedPlugin were compromised in a supply-chain attack and distributed malware via the manufacturer’s official update system to paying customers.
The attack targeted ShapedPlugin’s update management system, a provider of several popular WordPress extensions. The intruders gained access to the distribution mechanism and were able to disguise infected releases as legitimate updates – with direct delivery to end customers via the official update framework.
For CISOs, this attack embodies a fundamental risk in managing third-party components: trust in manufacturer update channels is not automatically justified. While administrators typically enable automatic updates to close security vulnerabilities, they thereby become precisely the supply-chain attack points that attackers exploit. The compromise affected paying customers with active subscriptions.
Remedial actions should include verification of affected ShapedPlugin plugin deployment in inventory, isolation and forensic analysis of affected systems, and validation of update signatures. In general, the automation of updates should be critically evaluated and secondary verification mechanisms (code review, integrity checking) should be established.
Source: www.bleepingcomputer.com · Published June 18, 2026
Lumi AI News — AI-assisted curation per Article 50 EU AI Act. Paraphrasing and classification via Lumi News Pipeline v1.7.1.