The Nextend Breach: Supply Chain Compromise Backdoors 900,000 Sites

Yesterday, Nextend confirmed that its update servers were compromised, leading to the distribution of backdoored versions of Smart Slider 3 Pro. With nearly a million sites affected across WordPress and Joomla, this is one of the most significant supply chain attacks of the year.

BUDAPEST, HUNGARY — Security researchers at Patchstack and BleepingComputer have sounded the alarm on a critical supply chain compromise affecting Smart Slider 3 Pro. Attackers successfully breached the update infrastructure of Nextend (the plugin's developer), injecting a malicious backdoor into version 3.5.1.35.

Because the malicious code was delivered through the official update channel, it bypassed traditional signature checks and security filters, automatically installing itself on hundreds of thousands of active web environments.Who Was Affected

The Anatomy of a Hijack

The attack was highly targeted and sophisticated. Unlike many plugin vulnerabilities that rely on a bug in the code, this was a compromise of the source itself.

• Distribution: The attackers gained unauthorized access to Nextend’s update servers on April 9, 2026.
• Payload: They replaced the legitimate 3.5.1.35 zip archive with a modified version containing a persistent backdoor (wp-content/plugins/nextend-smart-slider3-pro/backdoor.php).
• Capability: The backdoor allows for remote code execution (RCE), giving attackers full administrative control over the underlying server, the ability to steal database credentials, and the power to inject further malware or ransomware.

The Fallout: 900,000 Sites at Risk

Smart Slider 3 is one of the most popular visual tools for web designers. The "Pro" version is used by over 900,000 websites, including enterprise-level organizations and government portals. According to reports from The Hacker News and MySites.guru, the compromise wasn't limited to WordPress; Joomla installations using the Pro version were equally affected.

The scale of the breach makes it a "force multiplier" for threat actors. By compromising one server at Nextend, they gained potential access to nearly a million high-value targets simultaneously.

The CyberSignal Analysis

Signal 01 — The Trust Paradox

This attack highlights the inherent danger of "Auto-Updates." While keeping software updated is a core pillar of cybersecurity, this incident proves that the update mechanism itself is a primary attack vector. When the source of truth is compromised, the very systems meant to protect us become the delivery vehicle for threats.

Signal 02 — Nation-State Signatures?

The precision of the server-side hijack and the persistence of the backdoor suggest a highly organized threat actor. Researchers are currently investigating whether this was a "smash-and-grab" for data or a strategic "Nation-State" operation to plant persistence across Western web infrastructure for future use.

Signal 03 — The Audit Gap

Many organizations monitor their code for vulnerabilities, but few audit the integrity of official updates. This breach underscores the need for "Zero Trust" in software deployment — where updates are staged, hashed, and verified against known-good benchmarks before being pushed to live production servers.

What to do this week

1. Check Your Version. If you are running Smart Slider 3 Pro version 3.5.1.35, assume you are compromised.
2. Roll Back and Replace. Immediately delete the plugin folder and perform a fresh install of version 3.5.1.36 (the clean patch released by Nextend).
3. Scan for Persistence. Use tools like Patchstack or Wordfence to check for backdoor.php or unusual eval() calls in your plugin directory.
4. Rotate Credentials. If you were running the compromised version, rotate your database passwords and WordPress/Joomla admin credentials immediately.

Sources