Supply Chain Alert: Smart Slider 3 Pro Update Infrastructure Hijacked to Spread Backdoor

TL;DR

Threat actors compromised the update infrastructure of Nextend's Smart Slider 3 Pro plugin on April 7, 2026. For a six-hour window, a poisoned update (v3.5.1.35) was distributed to users, containing a sophisticated remote access toolkit. Impacted users must immediately update to version 3.5.1.36 and perform manual cleanup to remove redundant persistence mechanisms.

The Incident: A Trusted Channel Compromised

In a significant supply chain attack, unauthorized parties gained access to Nextend’s update servers to distribute a "fully attacker-authored build" of the popular Smart Slider 3 Pro plugin.

According to security firm Patchstack and the plugin developer Nextend, the malicious version—3.5.1.35 Pro—was available through official update channels for approximately six hours on April 7, 2026, before it was detected and pulled. While the free version of the plugin remains unaffected, any Pro user who updated during that critical window received a weaponized toolkit instead of a legitimate patch.

Anatomy of the Payload

The "poisoned" update is far more than a simple web shell. Security researchers described it as a multi-layered remote access toolkit designed for deep persistence and stealth.

Key Capabilities:

Remote Code Execution (RCE): Attackers can execute arbitrary PHP code and system commands via custom HTTP headers (X-Cache-Status and X-Cache-Key). The X-Cache-Key header passes code directly to the shell_exec() function.
Rogue Administrator Accounts: The malware creates an invisible admin account (e.g., wpsvc_a3f1). It tampers with WordPress filters (pre_user_query and views_users) to ensure legitimate admins cannot see the rogue user in the dashboard.
Stealthy Configuration: The toolkit uses custom WordPress options (like _wpc_ak and _wpc_uinfo) with the "autoload" setting disabled to avoid detection during standard database dumps.
Data Exfiltration: Sensitive site data—including database names, plaintext admin credentials, and site versions—is exfiltrated to a command-and-control (C2) domain: wpjs1[.]com.

Redundant Persistence Mechanisms

What makes this attack particularly dangerous is its resilience. The malware installs itself in three separate locations to ensure that if one backdoor is deleted, others remain:

Must-Use Plugin: A file named object-cache-helper.php is created to mimic a legitimate caching component.
Theme Injection: The backdoor code is appended to the active theme's functions.php file.
Core Directory: A file named class-wp-locale-helper.php is dropped into the /wp-includes/ directory.

Remediation and Cleanup Steps

Nextend has released version 3.5.1.36 to resolve the issue. However, simply updating may not be enough if the backdoor has already established persistence. Impacted users are urged to perform the following:

Update/Reinstall: Update to version 3.5.1.36 and consider a clean re-installation of the plugin.
Account Audit: Check for and delete suspicious administrator accounts.
Manual File Deletion: Remove the persistence files mentioned above (object-cache-helper.php and class-wp-locale-helper.php) and clean the theme's functions.php.
Database Cleanup: Delete the following entries from the wp_options table:
- _wpc_ak, _wpc_uid, _wpc_uinfo, _perf_toolkit_source, and wp_page_for_privacy_policy_cache.
Config Cleanup: Remove define('WP_CACHE_SALT', '<token>'); from wp-config.php and the # WPCacheSalt line from your .htaccess file.
Credential Reset: Change passwords for WordPress admins, database users, FTP/SSH, and hosting accounts.

Conclusion

This incident serves as a stark reminder of the vulnerability of the software supply chain. As Patchstack noted, "The plugin is the malware," meaning traditional perimeter defenses like firewalls are bypassed by the trust placed in official update channels. Owners of the Smart Slider 3 Pro plugin should audit their sites immediately for any signs of version 3.5.1.35.

Source: The Hacker News