Subscribe
Share
Share
Embed
Wordfence Security News is a weekly cybersecurity news podcast covering the top news stories from the world of WordPress security and the broader cybersecurity threat landscape. Hosted by cybersecurity expert and Wordfence researcher Alex Thomas.
This week on Wordfence Security News.
A pretty cool file upload vulnerability in a popular WordPress caching plugin
goes from disclosure to mass exploitation in under 24 hours.
A password manager's command line tool gets weaponized
in the latest chapter of an ongoing supply chain campaign.
And home security giant ADT becomes the latest name on the ShinyHunters leak site.
This is Wordfence Security News for the week of April 27, 2026.
I'm Alex Thomas.
Our top WordPress story this week is active mass exploitation of a critical,
unauthenticated, arbitrary file upload vulnerability in BreezeCache,
a caching plugin from Cloudways with more than 400,000 active installations.
The flaw is in the plugin's Host Files Locally Gravitars feature.
When that option is enabled, the plugin uses a flawed regular expression
to extract avatar image URLs, and that regex pulls URLs out of the alt attribute
of the HTML tag instead of the SRC attribute.
Since WordPress puts the comment author's display name into that alt attribute,
an unauthenticated attacker can inject a malicious URL pointing to a PHP web shell
simply by leaving a comment with a crafted name.
The plugin then downloads that file and saves it to a publicly accessible cache directory
with no file type validation.
The result is unauthenticated remote code execution.
The vulnerability was discovered by security researcher Hung Nguyen
and disclosed by the Wordfence Threat Intelligence team.
Cloudways patched it in version 2.4.5.
The Wordfence firewall has now blocked over 22,000 exploit attempts against this vulnerability
across nearly 5,000 unique WordPress sites.
Almost all of that activity has come within seven days of disclosure.
Public disclosure happened on April 22nd, and within hours, the first attackers started hitting sites.
April 24th saw the first major wave with over 4,500 attempts in a single day,
and daily volume has stayed elevated ever since, topping 3,000 on five of the last six days.
What's significant here is how quickly this has scaled.
We're now tracking over 1,300 unique source IP addresses involved in the campaign,
with over 900 of those appearing for the first time on April 29th alone.
This is not a single attacker scanning aggressively, but rather the exploit being distributed broadly,
and multiple groups picking it up and running it in parallel.
Public proof of concept code is a big part of why this is moving so fast.
A GitHub gist published under the handle im-hanzou contains a second stage upload shell,
and that single payload accounts for roughly a third of all blocked attempts.
Close to 200 different IP addresses are using the Breeze vulnerability to try to plant that gist on victim sites.
Once the shell is in place, attackers can browse to it and upload additional files at will.
Other attackers are pointing the exploit at their own web shells hosted at attacker-controlled domains
with payload file names like shell.php, mini_shell.php, and one literally named cve-2026-3844.php.
The patch has been available since April 21st, and the disclosure went out April 22nd.
If you're running Breeze cache, update to version 2.45 immediately.
If you can't update right now, disable the host files local gravitars option as a temporary mitigation.
All Wordfence users are protected from attacks targeting this vulnerability.
The biggest enterprise story this week is a supply chain attack against the Bitwarden command line tool,
distributed through NPM.
On April 22nd, attackers published a malicious version of the Bitwarden CLI package, version 2026.4.0,
that contained a credential-stealing payload.
The package was live on NPM for about 93 minutes before it was caught and pulled.
Bitwarden has confirmed that no end-user vault data was accessed.
The compromise was specifically of the NPM distribution path, not Bitwarden's production systems.
But for anyone who installed that specific version during that window, the impact is significant.
The malicious package was one of the most capable NPM payloads researchers have seen.
According to analyses from JFrog, Socket, OX Security, and Endor Labs,
it harvested credentials from at least six different sources.
Local SSH keys, Git and NPM credentials, AWS, Google Cloud, and Azure secret stores,
GitHub Action Secrets, and configuration files for AI coding assistance.
It exfiltrated stolen data to a Checkmarx spoofed domain with a fallback path that posted credentials to public GitHub repositories created under the victim's own account.
And it included a self-propagating component.
If it found NPM credentials, it would search for other packages the victim could publish to and infect those as well.
This attack is connected to a broader campaign targeting Checkmarx that compromised their Docker images,
GitHub Actions, and developer extensions on April 22nd.
TeamPCP, the same threat group behind the Trivy supply chain attack we've covered in previous episodes,
has claimed responsibility for the Checkmarx incident.
The Bitwarden malware references Shai-Hulud, the third coming, a callback to a self-propagating worm that ran through NPM in 2025.
Whether TeamPCP and the Shai-Hulud operators are the same group, collaborators, or two crews using shared tooling is still being debated by researchers.
If you installed or updated the Bitwarden CLI from NPM during that 93-minute window, specifically version 2026.4.0,
treat the system as compromised and rotate every credential the malware could have touched.
Shifting to the broader industry, home security giant ADT confirmed a data breach this week
after the ShinyHunters extortion group listed the company on its leak site.
ShinyHunters claims to have stolen over 10 million records.
ADT, in its SEC filings, says the exposed data was limited to names, phone numbers, and addresses
for a population of customers and prospective customers with dates of birth
and the last four digits of social security numbers or tax IDs included in a small percentage of cases.
Have I Been Pwned tracked 5.5 million unique email addresses tied to the breach.
ShinyHunters told the Bleeping Computer,
the breach started with a voice phishing, aka "vishing" attack, that compromised an ADT employee's Okta single sign-on account.
From there, attackers pivoted to the company's connected Salesforce instance and exfiltrated the data.
This echoes the broader ShinyHunters pattern we covered with Rockstar Games two weeks ago.
Compromise a connected SaaS path, exfiltrate data, and extort the victim.
ShinyHunters is running this playbook at scale.
Vish an employee, take over the SSO account, pivot to every connected SaaS application, exfiltrate, and extort.
The technique requires no software vulnerability, just a convincing phone call.
Phishing-resistant multi-factor authentication like FIDO2 or WebAuthn,
including hardware keys and modern pass keys, defeats this kind of attack.
SMS codes and TOTP apps don't.
The reason comes down to how the authentication works.
SMS and TOTP codes are just numbers.
An attacker running a phishing proxy can capture the code from the victim,
immediately replay it to the legitimate site, and walk away with a valid session.
By contrast, FIDO2 authenticators are cryptographically bound to the legitimate domain.
A phishing site at a different domain cannot complete that handshake, so the login fails.
That's exactly why Cloudflare was able to stop the 2022 Twilio-style phishing campaign
even after some employees clicked the phishing links and entered credentials.
CISA and NIST both identify FIDO2 and WebAuthn-style authentication as phishing-resistant,
while SMS and OTP-based methods remain vulnerable to phishing.
And finally, a 12-year-old privilege escalation vulnerability in PackageKit was disclosed last Wednesday.
PackageKit is a daemon used by most major Linux distributions to handle software installation and updates.
The flaw, dubbed Pack2TheRoot, lets any local unprivileged user install arbitrary packages as root without authentication.
It's a time-of-check, time-of-use race condition that's been sitting in the codebase since November 2014,
affecting versions 1.0.2 through 1.3.4.
That covers Ubuntu, Debian, Fedora, and Rocky Linux,
with Red Hat Enterprise systems running cockpit potentially exposed as well.
The disclosure came from Deutch Telecom's red team,
who noticed during testing that PkCon install was running without a password prompt on Fedora workstation.
They used Claude Opus to help dig into the codebase and identify the underlying flaw.
The fix is in PackageKit 1.3.5, and patches and distribution backports are available.
If you operate Linux multi-user systems, shared workstations, or VDI environments,
this should be at the top of your patching list this week.
Links to all the stories we covered today are in the description.
Thanks for watching or listening, and we'll see you next week on Wordfence Security News.