They Hid Malware Inside a Software Update — And 800,000 Websites Were the Target
Hackers broke into the update system for one of WordPress's most popular plugins and pushed a backdoored version to every site that clicked "update." Here's exactly what happened, why supply chain attacks are so dangerous, and what every business running a website needs to know.
Imagine doing everything right. Your website is up to date. You apply software updates promptly, because you've been told that's how you stay secure. You click "Update Plugin." And in that moment — by doing the responsible thing — you install a full backdoor on your own website.
That's exactly what happened to an unknown number of businesses this week. Hackers broke into the update infrastructure for Smart Slider 3 Pro — a WordPress plugin installed on over 800,000 websites — and pushed a malicious version through the official update channel. Any site that updated between April 7 and detection approximately six hours later received what security researchers called "a fully weaponized remote access toolkit."
This is a supply chain attack. It's one of the most dangerous categories of cyberattack — and it's becoming more common every year.
What happened — and what the malware actually did
Smart Slider 3 Pro is one of the most widely used WordPress plugins for building image sliders and visual layouts on websites. On April 7, 2026, an unauthorized party broke into Nextend's update server — the system responsible for distributing plugin updates — and replaced the legitimate update with a malicious version they had built themselves.
The malicious version was not a simple piece of malware. Security researchers at Patchstack described it as a "multi-layered persistence toolkit" — meaning it was designed to survive discovery and removal attempts. Here's what it did once installed:
✗ Enabled remote attackers to execute any system command via hidden HTTP headers — no login required
✗ Created a hidden administrator account with a random username that was invisible to the site owner
✗ Stole the admin username, password, and email in plain text and sent them to the attackers' server
✗ Stole the WordPress database name and authentication keys
✗ Planted backdoors in three separate locations to survive plugin removal
✗ Installed a "must-use plugin" that loads automatically and cannot be disabled from the WordPress dashboard
✗ Reported the full site details, credentials, and installed persistence methods to the attackers' command server
"This incident is a textbook supply chain compromise — the kind that renders traditional perimeter defences irrelevant. Firewall rules, nonce verification, role-based access controls — none of them apply when the malicious code is delivered through the trusted update channel." — Patchstack Security Research
What makes supply chain attacks so dangerous
Traditional cyberattacks have a pattern you can defend against. An attacker sends a phishing email — you train staff not to click suspicious links. An attacker tries to exploit a vulnerability — you patch your software. An attacker tries to brute-force a password — you enable MFA.
Supply chain attacks flip this entirely. Instead of attacking your defences directly, they attack the software you trust — and use your own update process to deliver the malware. Your firewall doesn't flag it. Your antivirus doesn't catch it. Your staff didn't click anything suspicious. The malware arrived because you trusted your software provider. And you should have been able to.
IBM's 2026 X-Force report documented that large supply chain and third-party compromises have nearly quadrupled since 2020. This week's Smart Slider incident is a reminder that these attacks don't only target enterprise software — they target the everyday tools that small and medium businesses rely on for their websites, their operations, and their customers.
If you run Smart Slider 3 Pro — act now
If your website uses Smart Slider 3 Pro and you applied any updates around April 7, 2026, treat your site as potentially compromised until you've completed a full check. The safe versions are 3.5.1.34 and earlier, or the clean replacement 3.5.1.36. The malicious version was 3.5.1.35.
Log into WordPress and check which version of Smart Slider 3 Pro is installed. If you see version 3.5.1.35, your site has been compromised. Update to 3.5.1.36 — but be aware that updating alone does not remove the backdoors already installed.
Nextend recommends rolling back to a backup from April 5 or earlier to ensure all malicious code is removed. If you don't have a backup from that date — or any backup at all — that's a critical gap that needs fixing regardless of this incident.
The malware creates administrator accounts with names like "wpsvc_a3f1" that are hidden from the normal WordPress admin interface. These accounts won't show up in your Users panel. You'll need to check your database directly or use a security plugin to find them.
Reset all WordPress admin passwords, your database user password, and your FTP and SSH credentials. If your admin password was in the system while the malicious version was running, assume it was stolen. Also change your hosting account credentials.
The malware planted backdoors in multiple locations including your active theme's functions.php, a "must-use" plugins directory, and cache folders. These persist even after removing the plugin. A full malware scan using a WordPress security plugin like Wordfence is essential — ideally done by a professional IT provider.
The bigger lesson for every Ontario business
You don't have to use Smart Slider 3 Pro for this incident to be relevant to your business. The lesson here is about the nature of supply chain risk — and every business that runs a website, uses SaaS tools, or relies on third-party software is exposed to it.
The three things that make businesses most resilient against supply chain attacks are: regular backups that can be restored quickly, monitoring that detects unexpected changes to websites and systems, and an IT partner who is watching for exactly these kinds of incidents — before you read about them in the news.
"A supply chain attack is where the official update channel itself becomes the malware delivery system. Every site that updates is willingly installing the backdoor." — mySites.guru Security Analysis
At 247Techify we monitor the digital environments of Ontario businesses for exactly these kinds of threats — tracking security advisories, watching for unexpected site changes, and making sure that when incidents like this week's Smart Slider attack happen, our clients are protected and notified before they become victims.
If you're not sure who's watching your website and business systems — or whether your backups would actually work if you needed them — a free IT review is the fastest way to find out.