UNKNOWN threat actors hijacked the update system for the Smart Slider 3 Pro plugin, affecting Smart Slider 3 Pro version 3.5.1[.]35 for WordPress, which Patchstack says was distributed through an attacker-authored build via the official update channel after unauthorized access to Nextend’s update infrastructure. The rogue update remained accessible for about six hours after its release on 7 April 2026 before it was detected and pulled, and Nextend confirmed the unauthorized access to its update system.
The trojanized update included the ability to create rogue administrator accounts and drop backdoors that execute system commands remotely via HTTP headers, with multiple persistence locations such as a must-use plugin file and modified theme and core PHP files, and it exfiltrated data to a C2 domain.
Patchstack notes the malware can achieve pre-authenticated remote code execution, run arbitrary PHP code, create a hidden administrator account, and exhaustively exfiltrate site details to wpjs1[.]com, illustrating a sophisticated supply-chain compromise. Users are advised to update to version 3.5.1[.]36 and follow cleanup steps, including removing rogue accounts and persistence files, reinstalling a clean plugin, and resetting credentials. According to Patchstack, the incident underscores the risk of trusted update channels being abused in a supply-chain attack.