A widespread cyberattack has compromised over 10,000 WordPress websites, converting them into platforms for delivering infostealing malware to unsuspecting visitors. According to a report by cybersecurity researchers at c/side, attackers have injected malicious code into outdated WordPress versions and plugins, launching a global campaign targeting both Windows and macOS devices.
This campaign primarily deploys malware such as Atomic (AMOS) for macOS and SocGholish for Windows, using fake browser update prompts that trick users into downloading malicious software capable of stealing sensitive data.
Fake Updates, Real Threats
Once a user visits a compromised website, a fake browser update prompt appears in an iframe that overlays legitimate content. If the user clicks on the update, the system unknowingly installs malware that quietly harvests:
Stored passwords
Session cookies
Cryptocurrency wallet information
Other confidential files and credentials
Researchers warn that victims often remain unaware until critical accounts are compromised or financial damage occurs.
Legacy Systems and Poor Maintenance to Blame
The attackers exploited vulnerabilities in WordPress 6.7.1 and older plugins, highlighting the ongoing risks associated with unpatched CMS platforms. By exploiting outdated site components, the attackers were able to inject persistent scripts and backdoors, allowing them to regain access even after initial cleanups.
Security experts stress that proactive maintenance is the only way to combat this growing threat. Web administrators are being urged to:
Upgrade to the latest WordPress version
Remove unused plugins and themes
Conduct deep audits for malicious code
Monitor logs to detect prior breaches
Broader Implications for Web Security
This incident is one of the largest known WordPress-targeted malware campaigns in recent memory. It underscores the rising threat of “infostealer-as-a-service”, where cybercriminals use compromised infrastructure to scale the delivery of credential theft malware across the globe.
As websites remain a primary point of contact between businesses and their customers, securing CMS platforms is now a business-critical imperative, not just an IT task.
