Smart Slider 3 Pro Supply Chain Attack: A Fully Weaponized Remote Access Toolkit Distributed via Official Updates + Video

Listen to this Post

Featured Image

Introduction:

The software supply chain has once again proven to be the most vulnerable link in cybersecurity. Threat actors hijacked the official update infrastructure of Nextend, the developer of the Smart Slider 3 Pro plugin for WordPress and Joomla, to distribute a maliciously backdoored version (3.5.1.35) directly to unsuspecting users. This incident, described by Patchstack as a “textbook supply chain compromise,” rendered traditional perimeter defenses irrelevant, as the attack originated from a trusted and digitally signed source.

Learning Objectives:

  • Understand the mechanics of a sophisticated software supply chain attack and its multi-stage payload capabilities.
  • Learn how to detect hidden administrator accounts, backdoor files, and malicious database entries on compromised WordPress and Joomla installations.
  • Master step-by-step incident response, containment, and remediation procedures, including server rollback and credential rotation.

You Should Know:

  1. The Anatomy of the Smart Slider 3 Pro Backdoor
    The trojanized update (version 3.5.1.35) was available for approximately six hours on April 7, 2026, turning a routine plugin update into a “fully weaponized remote access toolkit”. The sophisticated payload includes multiple independent persistence mechanisms and backdoors:
  • Pre-authenticated Remote Code Execution (RCE): The malware achieves RCE without any prior authentication via custom HTTP headers like `X-Cache-Status` and X-Cache-Key. The latter contains malicious code passed directly to shell_exec().
  • Hidden Administrator Account: It creates a rogue admin user (e.g., `wpsvc_a3f1` or wp_maint_xxxx) and hides it from the WordPress admin panel by tampering with the `pre_user_query` and `views_users` filters.
  • Credential Storage & Exfiltration: Credentials are stored in Base64-encoded JSON format within the `_wpc_uinfo` WordPress option. The malware exfiltrates site URL, database name, and plaintext passwords to the C2 domain wpjs1[.]com.
  • Redundant Persistence: The backdoor plants itself in three critical locations: as a must-use plugin (object-cache-helper.php), appended to the active theme’s functions.php, and as a core file mimic (class-wp-locale-helper.php in wp-includes).
  1. Immediate Detection: Finding the Needle in the Haystack
    If you suspect your site is compromised, immediate manual inspection is critical. Run these commands to identify the most common indicators of compromise (IOCs):

For Linux/macOS (via SSH):

 Search for the backdoor PHP files
sudo find /path/to/wordpress -type f ( -name "object-cache-helper.php" -o -name "class-wp-locale-helper.php" ) -ls

Grep for malicious C2 domain or suspicious code in PHP files
sudo grep -r "wpjs1.com" /path/to/wordpress
sudo grep -r "shell_exec" /path/to/wordpress/wp-content/

Check for recently modified PHP files in core directories
sudo find /path/to/wordpress/wp-includes -name ".php" -mtime -7 -ls

For Windows Server (via PowerShell):

 Search for backdoor files
Get-ChildItem -Path C:\inetpub\wwwroot -Recurse -Include "object-cache-helper.php", "class-wp-locale-helper.php" | Select FullName

Search for malicious string in files
Get-ChildItem -Path C:\inetpub\wwwroot -Recurse -Include ".php" | Select-String -Pattern "wpjs1.com"

Find recently modified PHP files
Get-ChildItem -Path C:\inetpub\wwwroot\wp-includes -Recurse -Include ".php" | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-7)}

Database Query for Hidden Admin Users:

-- Connect to your WordPress database and run this query
SELECT  FROM wp_users WHERE user_login LIKE '%wpsvc_%' OR user_login LIKE '%wp_maint_%';
SELECT  FROM wp_options WHERE option_name LIKE '%<em>wpc</em>%';

3. Containment and Remediation: The Ultimate Cleanup Guide

Follow this strict, sequential guide to ensure complete eradication of the malware.

Step 1: Immediate Containment

Place your website into maintenance mode immediately to prevent further attacker access while you work on remediation.

Step 2: Server Rollback (The Gold Standard)

If you have a clean backup, this is the most reliable method. Roll back your entire server environment to a backup created before April 5, 2026 to ensure no malicious files or database entries persist.

Step 3: Manual Cleanup (If No Backup Exists)

Proceed with extreme caution. The malware is designed to be resilient.
– Update the plugin immediately to version 3.5.1.36, which removes the primary infection vector.
– Manually delete the three persistent backdoor files listed above.
– In your database, delete any rows from `wp_options` where `option_name` is _wpc_ak, _wpc_uid, or _wpc_uinfo.
– Delete any rogue admin users from the `wp_users` table.
– Regenerate all WordPress salts and security keys in your `wp-config.php` file.
– Change the passwords for all legitimate administrator accounts, database users, and hosting control panel.

4. Hardening Against Future Supply Chain Attacks

This incident is a wake-up call for the entire WordPress ecosystem. Implement these architectural defenses:

  • Enforce the Principle of Least Privilege: Use a dedicated, low-privileged system user for web server processes. Avoid running the web server as root or with unnecessary sudo privileges.
  • Implement a Web Application Firewall (WAF): Configure rules to block requests containing suspicious HTTP headers (like X-Cache-Key) or attempts to call dangerous PHP functions like shell_exec().
  • Establish Robust Backup and Rollback Procedures: Implement automated, off-server backups with versioning. Regularly test your restoration process, not just the backup creation.
  • Adopt a “Zero-Trust” Update Policy: Stage and test all updates in a non-production environment first. Monitor official changelogs and security advisories before deploying updates to production.

5. Strengthening API and Cloud Hardening

For sites utilizing external services or cloud infrastructure, a compromised plugin can be a pivot point. Secure your API keys and cloud credentials:

  • Rotate API Keys Immediately: After an incident, revoke and regenerate all API keys, including those for cloud storage, CDNs, email services, and payment gateways.
  • Audit Cloud IAM Policies: Review your cloud provider’s Identity and Access Management (IAM) policies for any unauthorized roles or overly permissive access that could have been leveraged.
  • Enable Detailed CloudTrail Logging: Ensure comprehensive logging is enabled for your cloud environment to detect anomalous behavior originating from your web server.
  • Segment Your Network: Use Virtual Private Cloud (VPC) security groups and network ACLs to isolate your web server from other critical internal resources, limiting the blast radius of a compromise.

What Undercode Say:

  • Trust is the primary attack vector. This incident demonstrates that security teams must stop implicitly trusting vendor update mechanisms and start implementing defense-in-depth strategies at every layer.
  • The distinction between a “vulnerability” and a “backdoor” is critical. This was not a simple bug; it was a malicious, multi-layered persistence toolkit designed for complete site takeover, requiring forensic-level cleanup.
  • The future of CMS security lies in immutable infrastructure. Relying on post-infection scans is a losing battle. Moving to ephemeral, containerized deployments that can be rapidly re-deployed from a known-good state is the only long-term solution to supply chain attacks of this nature.

Prediction:

This attack marks a dangerous evolution in software supply chain compromises. We will see an increase in similar “trojanized update” campaigns targeting high-value plugins and themes across all major CMS platforms. The security industry will respond by shifting focus from traditional vulnerability scanning to continuous, runtime-based integrity monitoring and AI-driven behavioral analysis of plugin code execution. For website owners, the era of “set and forget” automatic updates is over, to be replaced by immutable infrastructure and zero-trust update pipelines.

▶️ Related Video (74% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Hackermohitkumar Smart – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky