Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

WordPress plugin exploitation wave (GutenKit and Hunk Companion)

Exploitation Wave
First reported
Last updated
Happening score
H score 51
1 unique sources, 1 articles

Summary

Hide ▲

WordPress sites are facing a broad exploitation wave against GutenKit and Hunk Companion plugin flaws, with Wordfence blocking 8.7 million attack attempts on October 8 and 9. The campaign abuses CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, all critical (CVSS 9.8), to install arbitrary plugins and chain into remote code execution (RCE). Attackers have also used a GitHub-hosted malicious plugin archive called 'up' to support persistence, file theft, command execution, and admin takeover. Defenders are advised to watch for suspicious requests such as /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import, plus rogue entries under /up and /wp-query-console.

Related Happenings

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...

Open Happening

Laravel Lang organization hit by network compromise

Incident
First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

TanStack hit by network compromise

Incident
First: 12.05.2026 17:45 Last: 12.05.2026 17:45 Sources 1

About this happening: **TanStack** was hit by a **package compromise** on **May 11, 2026**, when attackers published **84 malicious versions** across **42 @tanstack/* packages** and abused the release...

Latest development: 21.05.2026 11:00

On May 17, 2026, Grafana Labs said an unauthorized attacker had downloaded its codebase after accessing the firm's GitHub environment, and the company later said additional internal operational information and business contact names and email addresses were taken from its GitHub repositories; Grafana Labs said there was no indication that customer production systems or the Grafana Cloud platform were compromised.

Open Happening

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

Timeline

  1. 24.10.2025 22:28 2 articles · 7mo ago

    Wordfence tracks mass WordPress plugin exploitation

    Campaign Scope Update

    Wordfence reports a widespread exploitation wave against WordPress websites using vulnerable GutenKit and Hunk Companion plugins, with 8.7 million blocked attack attempts against its customers on October 8 and 9, 2025. The activity abuses CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972 to install arbitrary plugins and can lead to remote code execution, while defenders are told to watch for /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import requests and rogue entries such as /up and /wp-query-console.

    Show sources
    Open in new tab