Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack that distributed infected releases to paying customers via the vendor’s official update system.

The malware delivered this way installed a fake plugin that impersonates WooCommerce components, steals credentials, and grants operators remote file-writing capabilities.

ShapedPlugin is a WordPress plugin vendor specializing in front-end/UI components and content display plugins, with a total active installation base of more than 400,000 for the free products.