Hackers are actively exploiting outdated WordPress installations and vulnerable plugins to compromise thousands of websites. This ongoing campaign aims to deceive unsuspecting visitors into downloading and installing dangerous malware designed to exfiltrate sensitive data from both Windows and macOS systems.
A Widespread and Commercialized Threat
Security researchers at c/side discovered the campaign, describing it as a highly commercialized “spray and pray” attack. Rather than targeting specific individuals, the threat actors are casting a wide net, compromising high-traffic websites to maximize their reach.
The attack mechanism is deceptively simple: when a user visits a compromised WordPress site, the page content is dynamically replaced with a fraudulent “Chrome browser update” notification. This prompt pressures the user to download a malicious file to “update” their browser. The malware payload is tailored to the visitor’s operating system, delivering specific threats for either Windows or Mac users.
Malware Payloads: Amos and SocGholish
The campaign distributes two primary types of infostealing malware:
- Amos (Atomic Stealer): Targeting macOS users, this malware is designed to harvest usernames, passwords, session cookies, and cryptocurrency wallet keys. Experts, including macOS security researcher Patrick Wardle, identify Amos as one of the most prolific stealers currently operating under a “malware-as-a-service” model.
- SocGholish: This variant is deployed against Windows users, functioning as a gateway for further system compromise and data theft.
Although macOS users typically require manual interaction to bypass Apple’s built-in security protections to execute the malicious file, the social engineering tactics remain a significant risk for less technical users.
Industry Response and Security Best Practices
The discovery of over 10,000 compromised domains has raised questions regarding platform security. C/side reported the malicious activity to Automattic, the company behind WordPress.com. In response, an Automattic spokesperson stated that the security of third-party plugins remains the responsibility of individual plugin developers, who are expected to adhere to the official Plugin Handbook guidelines.
How to Protect Your Devices
This incident serves as a critical reminder of the risks associated with credential-stealing malware, which has been linked to major corporate data breaches globally. To maintain digital security:
- Update via Official Channels: Always update your browser directly through its built-in settings menu, never via pop-ups or external links on websites.
- Exercise Caution: Avoid downloading software or “updates” from untrusted sources.
- Keep Systems Patched: Website administrators must ensure that WordPress core, themes, and plugins are updated to the latest versions to close known vulnerabilities.
As the campaign remains active, users are advised to remain vigilant against deceptive browser update prompts, regardless of the reputation of the website they are visiting.