Cyber Crime
Hackers Hijack WordPress Sites to Spread Malware on Windows & Mac
Hackers are actively exploiting outdated versions of WordPress and its plug-ins to compromise thousands of websites, tricking visitors into downloading and installing malware, according to security researchers.
The cyberattack, which remains ongoing, was discovered by web security firm c/side. Its founder and CEO, Simon Wijckmans, told TechCrunch on Tuesday that the hackers’ objective is to distribute malware capable of stealing passwords and personal data from both Windows and Mac users. Some of the affected sites rank among the most visited on the internet.
Massive-Scale Hacking Campaign
Security researcher Himanshu Anand, who detailed the findings, described the attack as “spray and pay”, meaning it indiscriminately targets any visitor rather than focusing on specific individuals or groups.
Registrations Open for FutureCrime Summit 2025: India’s Largest Conference on Technology-Driven Crime
When a user visits a compromised WordPress site, the page content swiftly changes to display a fake Chrome browser update prompt, urging the visitor to download an update to continue viewing the website. If the visitor accepts, they are prompted to install a malicious file that varies depending on whether they are using Windows or macOS. C/side researchers identified over 10,000 compromised websites. By conducting reverse DNS lookups and crawling malicious domains, they traced several interconnected sites hosting the attack.
WordPress Responds
Wijckmans said that Automattic, the company behind WordPress.com, was notified about the attack and provided with a list of malicious domains. While the company acknowledged receipt of the information, WordPress spokesperson Megan Fox did not provide a comment before publication. Later, Automattic clarified that third-party plugin security is the responsibility of individual developers, stating: “There are specific guidelines that plugin authors must consult and adhere to, ensuring the overall quality of their plugins and the safety of users. Additionally, they have access to a Plugin Handbook covering numerous security topics, including best practices and managing plugin security.”
From WordPress to Password-Stealing Malware
Hackers are leveraging this attack to distribute two forms of malware:
- Amos (Amos Atomic Stealer) – Targets Mac users and is designed to steal usernames, passwords, session cookies, cryptocurrency wallets, and other sensitive data.
- SocGholish – Specifically targets Windows users.
Amos, classified as an “infostealer”, was first documented in a 2023 report by cybersecurity firm SentinelOne. The malware follows a malware-as-a-service model, where its creators sell access to cybercriminals who deploy it. Patrick Wardle, co-founder of Apple-focused cybersecurity startup DoubleYou, noted that while Amos is a prolific macOS infostealer, it still requires the victim to manually run the malicious file and bypass Apple’s built-in security protections.
While this hacking campaign is not the most sophisticated, it serves as a critical reminder to always update browsers through official software update features and install only trusted applications.
Wider Cybersecurity Implications
Password-stealing malware remains a major cybersecurity threat, contributing to some of the largest data breaches in history. In 2024, hackers used stolen credentials to breach corporate accounts hosted on Snowflake’s cloud computing platform, highlighting the severe consequences of compromised login information.
As these attacks continue, users are advised to remain vigilant, update their software regularly, and avoid downloading updates from unverified sources.
