Hackers are actively exploiting outdated WordPress sites and plug-ins, turning them into traps that trick visitors into downloading malware designed to steal passwords and sensitive data. Security firm c/side has uncovered a large-scale cyberattack that has compromised over 10,000 websites, making it one of the most aggressive threats currently circulating.
By injecting malicious scripts into vulnerable websites, attackers replace legitimate content with fake Chrome update pages, deceiving users into installing harmful software that silently extracts credentials, session cookies, and financial information from both Windows and Mac devices.
Simon Wijckmans, CEO of c/side, described the attack as widespread and highly commercialized. Hackers are taking advantage of unpatched WordPress vulnerabilities to spread malware at scale. The security firm identified infected websites through extensive internet crawls and reverse DNS lookups, uncovering a vast network of compromised domains.
Researcher Himanshu Anand explained that the attack does not focus on specific individuals but instead aims to infect as many unsuspecting users as possible. He called it a “spray and pay” campaign, where anyone visiting an affected site unknowingly risks infection.
When a visitor lands on an infected website, the site immediately redirects them to a deceptive Chrome update prompt. If they follow the instructions and install the so-called update, their system downloads one of two types of malware. Amos, or Atomic Stealer, targets Mac users by extracting passwords, crypto wallets, and personal data, while SocGholish infiltrates Windows devices, deploying remote-access tools that give hackers full control. Security researchers noted that Mac users must manually override Apple’s built-in security warnings before installing the malware. However, many victims unknowingly bypass these alerts, believing they are performing a routine browser update.
C/side alerted Automattic, the parent company of WordPress.com, about the attack and provided a list of malicious domains linked to the campaign. Although Automattic confirmed receiving the information, it has yet to announce any specific countermeasures. Experts urge website owners to take immediate action by updating WordPress installations, removing outdated plug-ins, and strengthening security settings to prevent further compromises.
This attack highlights the growing threat of password-stealing malware, which has been linked to major corporate breaches. In 2024, hackers used stolen credentials to infiltrate cloud storage provider Snowflake, gaining access to sensitive business data. Security professionals recommend downloading browser updates only from official sources, enabling two-factor authentication, and using strong, unique passwords to protect against cyberattacks. As digital threats continue evolving, vigilance remains the strongest defense against these increasingly sophisticated cyber risks.
