Security firm ctinow detects malicious updates in Smart Slider plugin
AI-generated from multiple sources. Verify before acting on this reporting.
LONDON — Security researchers at ctinow have identified a campaign in which legitimate updates for the Smart Slider plugin were hijacked to distribute malicious versions of WordPress and Joomla software.
The discovery, made on April 9, 2026, reveals that attackers compromised the update mechanism for the popular plugin, replacing standard files with code designed to infect websites. The malicious updates targeted administrators who automatically downloaded the latest versions of the software, a common practice for maintaining site security and functionality.
The attack vector involved the injection of harmful code into the update packages. When users installed the compromised versions, the malware executed, potentially granting unauthorized access to the affected servers. The campaign specifically targeted two major content management systems, WordPress and Joomla, which power a significant portion of the internet's websites.
ctinow stated that the malicious updates were designed to mimic legitimate software releases, making them difficult to distinguish from authentic updates without careful inspection. The researchers noted that the attack exploited the trust users place in official update channels, a vulnerability that has been exploited in previous campaigns against software distribution networks.
The full scope of the compromise remains unclear. While the malicious updates have been identified, the number of affected websites and the extent of data exfiltration have not been determined. Security experts are advising administrators to manually verify the integrity of their Smart Slider installations and to disable automatic updates until the issue is fully resolved.
The Smart Slider plugin is widely used for creating image carousels and sliders on websites. Its popularity makes it an attractive target for attackers seeking to compromise a large number of sites simultaneously. The hijacking of its update mechanism represents a significant breach of the software supply chain, highlighting the risks associated with automated update processes.
Industry analysts are calling for increased scrutiny of software update channels and greater transparency from plugin developers regarding their security practices. The incident underscores the need for robust verification mechanisms to prevent unauthorized modifications to software updates.
As of now, the identity of the attackers and their motivations remain unknown. ctinow has not released details on the specific methods used to compromise the update server or the infrastructure behind the campaign. Further investigation is ongoing to determine the full impact of the attack and to identify any additional vulnerabilities that may have been exploited.
Website administrators are urged to monitor their systems for signs of compromise and to report any suspicious activity to relevant authorities. The security community is working to develop patches and mitigation strategies to protect against similar attacks in the future.