GutenKit and Hunk Companion actively exploited unauthenticated plugin-install flaws (multiple vulnerabilities)
Vulnerability
Summary
Hide ▲
Show ▼
WordPress sites using GutenKit and Hunk Companion are facing actively exploited plugin-install flaws tracked as CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972. The critical (CVSS 9.8) issues let attackers install arbitrary plugins and can lead to remote code execution (RCE). Wordfence said it blocked 8.7 million attack attempts on October 8 and 9, and researchers tied the activity to a GitHub-hosted malicious plugin archive called 'up'. Defenders are told to watch for specific request paths and rogue directories, and to keep plugins updated.
Related Happenings
TrapDoor trap-core.js credential-stealing package malware
Malware Activity
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
TrapDoor trap-core.js credential-stealing package malware
Malware ActivityAbout this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
Shai-Hulud worm clone activity on NPM
Malware Activity
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
TanStack hit by network compromise
Incident
First: 12.05.2026 17:45
Last: 12.05.2026 17:45
Sources 1
About this happening:
**TanStack** was hit by a **package compromise** on **May 11, 2026**, when attackers published **84 malicious versions** across **42 @tanstack/* packages** and abused the release...
TanStack hit by network compromise
IncidentAbout this happening: **TanStack** was hit by a **package compromise** on **May 11, 2026**, when attackers published **84 malicious versions** across **42 @tanstack/* packages** and abused the release...
Latest development: 21.05.2026 11:00
On May 17, 2026, Grafana Labs said an unauthorized attacker had downloaded its codebase after accessing the firm's GitHub environment, and the company later said additional internal operational information and business contact names and email addresses were taken from its GitHub repositories; Grafana Labs said there was no indication that customer production systems or the Grafana Cloud platform were compromised.
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
Mini Shai-Hulud SAP-related npm supply-chain campaign
Campaign
First: 29.04.2026 19:26
Last: 29.04.2026 19:26
Sources 1
About this happening:
A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...
Mini Shai-Hulud SAP-related npm supply-chain campaign
CampaignAbout this happening: A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...
Latest development: 12.05.2026 11:50
Mini Shai-Hulud expands beyond the original SAP-related npm packages to compromise TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, and DraftLab packages across npm and PyPI, with malicious payloads using router_init.js, GitHub Actions abuse, and exfiltration to filev2.getsession[.]org, api.masscan[.]cloud, or attacker-controlled GitHub repositories.
Timeline
-
27.10.2025 12:15 1 articles · 7mo ago
GutenKit and Hunk Companion actively exploited unauthenticated plugin-install flaws (multiple vulnerabil
Initial DisclosureInitial disclosure centered on three critical WordPress plugin flaws found through bug bounty work on **September 25** and **October 3, 2024**. The weaknesses allowed unauthenticated plugin installation and activation, creating a direct path to **RCE** before broader exploitation accelerated.
Show sources
- Critical WordPress Plugin Bugs Exploited En Masse — www.infosecurity-magazine.com — 27.10.2025 12:15
-
24.10.2025 22:28 1 articles · 7mo ago
Wordfence blocks 8.7 million attacks against vulnerable WordPress plugins
Exploitation ObservedOn October 24, 2025, Wordfence said it blocked 8.7 million attack attempts against WordPress sites using GutenKit and Hunk Companion over October 8 and 9, as a widespread exploitation campaign abused CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972 to install arbitrary plugins and enable RCE. Researchers also tied the campaign to a GitHub-hosted malicious plugin archive called 'up' and advised defenders to watch for /wp-json/gutenkit/v1/install-active-plugin, /wp-json/hc/v1/themehunk-import, /up, /background-image-cropper, /ultra-seo-processor-wp, /oke, and /wp-query-console.
Show sources
- Hackers launch mass attacks exploiting outdated WordPress plugins — www.bleepingcomputer.com — 24.10.2025 22:28