WordPress Plugin Backdoor Attack Hits Thousands of Sites

A sophisticated supply chain attack has compromised dozens of WordPress plugins, potentially exposing thousands of websites to malicious code. The incident, first reported by security researcher Austin Ginder, involves backdoors planted by a new corporate owner of the plugin developer Essential Plugin. This WordPress plugin backdoor attack highlights the growing risk of plugin ownership changes going unnoticed by site administrators.

According to Ginder, the backdoor was inserted into the source code of multiple plugins after an anonymous buyer acquired Essential Plugin last year. The malicious code remained dormant for months before activating earlier this month, distributing harmful payloads to any site running the affected plugins. WordPress’s plugin directory shows that over 20,000 active installations are impacted, while Essential Plugin claims more than 400,000 installs and 15,000 customers.

How the WordPress Plugin Backdoor Attack Works

Plugins are essential for extending WordPress functionality, but they also grant deep access to a website’s core files. In this case, the attackers exploited that trust. The backdoor allowed them to inject arbitrary code into websites, potentially stealing data, redirecting traffic, or installing further malware.

What makes this attack particularly dangerous is the lack of transparency. WordPress does not notify users when a plugin changes ownership. As a result, site owners may unknowingly run software controlled by malicious actors. Ginder warns that this is the second plugin hijacking discovered in as many weeks, suggesting a broader trend.

Affected Plugins and Immediate Steps

The compromised plugins have been removed from the WordPress directory, with their status listed as “permanent” closure. However, if you have any of these plugins installed, they may still be active on your site. Ginder has published a full list of affected plugins on his blog.

To protect your website, follow these steps immediately:

• Check your installed plugins against the affected list.
• Delete any compromised plugins completely—not just deactivate them.
• Scan your site for malware using a reputable security plugin like Wordfence.
• Change all admin passwords and review user accounts for suspicious activity.

Security researchers have long warned about the risks of supply chain attacks in open-source ecosystems. When a plugin changes hands, the new owner can alter its code without users’ knowledge, turning a trusted tool into a vector for attack.

Why Plugin Ownership Changes Are a Security Blind Spot

WordPress powers over 40% of all websites, making it a prime target for attackers. Plugin developers often sell their products to third parties, but the platform provides no automated alert system for ownership transfers. This leaves site owners vulnerable to what security experts call “plugin hijacking.”

In this case, the backdoor was added shortly after the sale and remained hidden for months. The delayed activation suggests a planned, patient attack designed to maximize impact. Ginder believes that similar attacks may already be underway on other plugins.

What the Industry Can Learn

This incident underscores the need for better security practices in the WordPress ecosystem. Plugin directories should implement ownership change notifications, and site owners should regularly audit their plugins for unusual behavior. Additionally, using a comprehensive WordPress security checklist can help mitigate risks.

Representatives for Essential Plugin have not responded to requests for comment. Meanwhile, the WordPress community is urging users to remain vigilant and report any suspicious plugin activity.

Final Thoughts on the WordPress Plugin Backdoor Attack

This WordPress plugin backdoor attack serves as a stark reminder that trust in third-party code must be earned and verified. As supply chain attacks become more common, site owners must take proactive steps to secure their installations. Removing compromised plugins, monitoring for anomalies, and staying informed about security advisories are essential practices.

Have you checked your WordPress plugins today? If not, now is the time to act before your site becomes the next victim.

Anodot Breach: Over a Dozen Companies Face Extortion After Hackers Steal Cloud Tokens

A recent Anodot breach has reportedly compromised data from at least a dozen companies, leaving them vulnerable to extortion and the threat of leaked information online. The incident, first reported by Bleeping Computer and later confirmed by BBC News, involves the notorious ShinyHunters hacking group, which is demanding ransom payments to prevent the release of stolen data.

This attack is yet another example of cybercriminals targeting software providers to infiltrate multiple organizations simultaneously. Anodot, a business monitoring platform used by corporate clients to detect revenue-impacting outages, disclosed on its status page that the breach began on April 4, when its data connectors failed, blocking customers from accessing cloud-stored data.

How the Anodot Breach Unfolded

According to reports, hackers broke into Anodot’s systems and stole authentication tokens that customers rely on to access their cloud data. Using these tokens, the attackers exfiltrated vast amounts of sensitive information from cloud storage. One major cloud provider, Snowflake, detected “unusual activity” in certain data stores and cut off Anodot customers from their data, as noted by Bleeping Computer.

The breach highlights a growing trend: cybercriminals targeting software vendors to gain access to multiple corporate networks at once. In this case, the stolen tokens acted as a master key, allowing ShinyHunters to bypass security measures across numerous companies.

Rockstar Games Among Affected Companies

One confirmed victim is Rockstar Games, the developer behind Grand Theft Auto and Max Payne. Kotaku reported that the gaming giant was caught in the Anodot breach. Rockstar spokesperson Murphy Siegel told TechCrunch in a statement: “We can confirm that a limited amount of non-material company information was accessed in connection with a third-party data breach. This incident has no impact on our organization or our players.”

This is not the first time Rockstar has faced a security incident. In 2022, hackers stole and published an early trailer for Grand Theft Auto VI. However, the company insists this latest breach is minor.

ShinyHunters: The Group Behind the Attack

ShinyHunters is a group of primarily English-speaking hackers known for data theft and extortion. They excel at social engineering, often impersonating IT help desk staff to trick employees into granting access to accounts or systems. Their focus has shifted to companies like Anodot, Gainsight, and Salesloft, which store large datasets in cloud environments.

In the past year, ShinyHunters has targeted these platforms to steal passwords and tokens. In some cases, the stolen data contained tokens that enabled further breaches at other firms. This tactic amplifies the damage, turning a single breach into a chain reaction of compromises.

Snowflake did not respond to requests for comment, and Glassbox, which owns Anodot, also remained silent. For more on how to protect against such attacks, read our guide on cloud security best practices. Additionally, learn about preventing social engineering attacks to defend against groups like ShinyHunters.

What Companies Can Learn from the Anodot Breach

This incident underscores the critical need for robust access controls and token management. Companies should regularly audit their authentication tokens and limit their lifespan to reduce exposure. Furthermore, implementing multi-factor authentication and monitoring for unusual activity can help detect breaches early.

As cybercriminals become more sophisticated, organizations must treat third-party software providers as potential attack vectors. The Anodot breach serves as a stark reminder that a single vulnerability can cascade into a widespread crisis.

In conclusion, the ShinyHunters group continues to exploit weaknesses in cloud-dependent ecosystems. Businesses that store sensitive data in the cloud should reassess their security posture and consider additional layers of protection. For more insights, check out our article on ransomware defense strategies.

Middle East Hack-for-Hire Operation Linked to South Asian APT Group Targets Journalists

A sophisticated hack-for-hire operation has been uncovered in the Middle East, targeting prominent journalists and civil society figures in Egypt and Lebanon. This campaign, detected by digital rights organizations, has been traced to the Bitter advanced persistent threat (APT) group, known for its South Asian origins. The operation used spear-phishing tactics and Android malware to compromise high-profile individuals, raising alarms about the growing reach of state-sponsored cyber espionage.

How the Hack-for-Hire Operation Unfolded

In August 2025, Access Now, a global non-profit focused on digital civil rights, identified the campaign through its Digital Security Helpline. The targets included Egyptian journalists Mostafa Al‑A’sar and Ahmed Eltantawy, both vocal critics of the Egyptian government who had previously faced imprisonment. According to Access Now, the attackers launched spear-phishing attempts in October 2023 and January 2024, aiming to compromise their Apple and Google accounts.

Building on this, the attackers impersonated legitimate services and individuals, using fake profiles and messages on platforms like Signal to deliver malicious links. While Al‑A’sar entered his credentials after receiving a fake Apple notification, he avoided further engagement upon noticing a suspicious two-factor authentication alert from a distant location in Egypt. Eltantawy ignored the lures entirely, preventing any account compromise.

However, a separate attack on a Lebanese journalist, documented by the Beirut-based organization SMEX, succeeded in breaching an Apple account in 2025. The campaign began via Apple Messages and escalated through WhatsApp, using the same malicious infrastructure. Researchers noted that the attackers executed account takeovers within 30 seconds of credential submission, highlighting the speed and efficiency of this hack-for-hire operation.

ProSpy Spyware: The Tool Behind the Attacks

Mobile security firm Lookout analyzed the Android malware used in the campaign, dubbed ProSpy (also known as ToSpy by ESET). Lookout acquired 11 samples, the earliest from August 2024, revealing that ProSpy is developed in Kotlin and integrates common spyware functions like file exfiltration, contact harvesting, and microphone activation. While less sophisticated than top-tier spyware like Predator, ProSpy is actively maintained with new capabilities added over time.

The malware is distributed through two-stage attacks. First, targets are contacted via fake social media profiles or impersonated Apple Support. Then, they are tricked into clicking spear-phishing links: Apple users face fake iCloud pages, while Android users are directed to download ProSpy from deceptive domains, such as a fake ToTok app update at totok-pro[.]ai-ae[.]io. The malicious sites serve APK files in English and Arabic, using randomized URLs to evade detection.

Technical Links to the Bitter APT Group

Lookout researchers linked ProSpy to the Bitter APT group (also known as T-APT-17 and APT-C-08) through shared infrastructure and code similarities. For instance, the domain com-ae[.]net was previously tied to Bitter’s Dracarys malware. Code parallels include worker-class naming conventions and numbered command-and-control (C2) commands. Despite these links, Bitter historically targets military, energy, and government entities, not civil society. This discrepancy suggests the hack-for-hire operation may represent an expansion of Bitter’s scope or collaboration with a South Asian mercenary group, marking the first documented case of the group targeting journalists.

Broader Implications for Middle East Cyber Espionage

This campaign underscores the evolving threat landscape in the Middle East, where hack-for-hire groups increasingly target civil society. Lookout believes the operation also targeted victims in Bahrain, the UAE, Saudi Arabia, and potentially the US. For organizations and individuals, this highlights the need for robust cybersecurity measures, such as enabling two-factor authentication and verifying communication channels. Learn more about protecting against spear-phishing attacks and securing Android devices from malware.

As digital rights groups like Access Now and SMEX continue to monitor these threats, the case serves as a stark reminder of the risks faced by journalists and activists in the region. The involvement of a state-linked APT group in a hack-for-hire operation blurs the lines between state-sponsored espionage and mercenary cybercrime, demanding heightened vigilance from the international community.