Cybercriminals are actively targeting thousands of WordPress-based websites, exploiting vulnerabilities in outdated versions of the CMS and its plugins. Their objective is to compromise visitors by delivering malware capable of stealing passwords and other sensitive data on both Windows and macOS.
Security researchers at c/side have uncovered a widespread hacking campaign aimed at mass-distributing malicious software. According to their findings, over 10,000 websites—including high-traffic platforms—have been breached. Attackers manipulate webpage content to deceive visitors into downloading and installing infected files.
When a user accesses a compromised site, they are presented with a fraudulent Chrome browser update page, prompting them to download a supposedly necessary file. If the user complies, malware is covertly installed on their device. Depending on the operating system, one of two payloads is deployed—Amos (also known as Atomic Stealer) for macOS and SocGholish for Windows.
Amos is among the most prevalent infostealers targeting macOS. Sold as Malware-as-a-Service (MaaS), it enables cybercriminals to purchase access and utilize it for stealing credentials, browser sessions, cryptocurrency wallets, and other sensitive information. While executing Amos on macOS requires additional user interaction, attackers rely on victims’ inattentiveness. Meanwhile, SocGholish, designed for Windows, operates using similar deceptive tactics.
The c/side research team has reported the incident to Automattic, the parent company of WordPress, providing a list of malicious domains involved in the attack. Automattic has acknowledged the notification but emphasized that the security of third-party plugins remains the responsibility of their respective developers.
Security experts strongly advise website administrators to regularly update WordPress and all installed plugins, while users should only download browser updates through built-in mechanisms and avoid installing files from unverified sources.
