ShapedPlugin LicenseLoader fake WooCommerce backdoor
Malware Activity
Summary
Hide ▲
Show ▼
The LicenseLoader.php malware embedded in infected ShapedPlugin releases now enables credential theft, 2FA secret theft, and remote file-writing on compromised WordPress sites. The loader activates when an administrator opens the WordPress admin panel, then reaches out to C2 and installs a hidden fake plugin such as woocommerce-subscription or woocommerce-notification. It also self-deletes after staging, which increases stealth and slows detection.
Related Happenings
ShapedPlugin hit by network compromise
Incident
H score20
First: 18.06.2026 15:55
Last: 18.06.2026 15:55
Sources 1
How related:
Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack that distributed infected releases to paying customers via the vendor's official update system.
About this happening:
**ShapedPlugin** suffered a **supply-chain compromise** that pushed infected **WordPress plugin** releases to paying customers through the vendor's **official update system**, put...
ShapedPlugin hit by network compromise
IncidentHow related: Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack that distributed infected releases to paying customers via the vendor's official update system.
About this happening: **ShapedPlugin** suffered a **supply-chain compromise** that pushed infected **WordPress plugin** releases to paying customers through the vendor's **official update system**, put...
SHub Reaper macOS infostealer variant
Malware Activity
H score23
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
Funnel Builder security patch release (version 3.15.0.3)
Security Patch Release
H score77
First: 16.05.2026 18:20
Last: 16.05.2026 18:20
Sources 1
About this happening:
**FunnelKit** released **version 3.15.0.3** to fix a **Funnel Builder** flaw that was being **actively exploited** to inject malicious JavaScript into **WooCommerce checkout pages...
Funnel Builder security patch release (version 3.15.0.3)
Security Patch ReleaseAbout this happening: **FunnelKit** released **version 3.15.0.3** to fix a **Funnel Builder** flaw that was being **actively exploited** to inject malicious JavaScript into **WooCommerce checkout pages...
Funnel Builder plugin WordPress arbitrary JavaScript injection actively exploited security flaw
Vulnerability
H score72
First: 16.05.2026 18:20
Last: 16.05.2026 18:20
Sources 1
About this happening:
**Funnel Builder** for **WordPress** is under **active exploitation** for arbitrary JavaScript injection into **WooCommerce checkout pages**, creating payment-skimming risk across...
Funnel Builder plugin WordPress arbitrary JavaScript injection actively exploited security flaw
VulnerabilityAbout this happening: **Funnel Builder** for **WordPress** is under **active exploitation** for arbitrary JavaScript injection into **WooCommerce checkout pages**, creating payment-skimming risk across...
EdgeStepper-LittleDaemon-SlowStepper software-update malware delivery chain
Malware Activity
H score23
First: 19.11.2025 12:00
Last: 19.11.2025 12:00
Sources 1
About this happening:
The **EdgeStepper** malware chain is **hijacking software-update traffic** to deliver **LittleDaemon** on **Windows**, creating a path to deploy **SlowStepper** on targeted system...
EdgeStepper-LittleDaemon-SlowStepper software-update malware delivery chain
Malware ActivityAbout this happening: The **EdgeStepper** malware chain is **hijacking software-update traffic** to deliver **LittleDaemon** on **Windows**, creating a path to deploy **SlowStepper** on targeted system...
Timeline
-
18.06.2026 15:55 1 articles · 1h ago
ShapedPlugin Pro builds receive a backdoor
Technical Analysis UpdateShapedPlugin's Pro builds were injected with a backdoor on May 21, 2026, creating the malicious release chain that later delivered infected paid-plugin updates through the vendor's official update system.
Show sources
- ShapedPlugin update flow hacked to infect WordPress sites — www.bleepingcomputer.com — 18.06.2026 15:55
-
18.06.2026 15:55 2 articles · 1h ago
Customers flag potentially malicious ShapedPlugin updates
Initial DisclosureWordPress customers reported potentially malicious updates for ShapedPlugin's paid plugins on June 10, 2026, providing the first public warning that infected releases might be moving through the vendor's official update system.
Show sources
- ShapedPlugin update flow hacked to infect WordPress sites — www.bleepingcomputer.com — 18.06.2026 15:55
- ShapedPlugin update flow hacked to infect WordPress sites — www.bleepingcomputer.com — 18.06.2026 15:55
-
18.06.2026 15:55 1 articles · 1h ago
Researchers confirm infected ShapedPlugin plugins
Technical Analysis UpdateDefiant researchers confirmed the breach on June 12, 2026, after downloading infected plugins from the ShapedPlugin site, tying the compromise to infected Pro builds distributed through the vendor's release infrastructure.
Show sources
- ShapedPlugin update flow hacked to infect WordPress sites — www.bleepingcomputer.com — 18.06.2026 15:55
-
18.06.2026 15:55 1 articles · 1h ago
ShapedPlugin acknowledges infected plugin releases and prepares fixes
Mitigation Patch UpdateShapedPlugin acknowledged the incident on June 16, 2026, said its team had started an investigation and implemented measures to mitigate the issue, and said updated plugin releases were being prepared and validated before being pushed to update channels.
Show sources
- ShapedPlugin update flow hacked to infect WordPress sites — www.bleepingcomputer.com — 18.06.2026 15:55