Compromised Nextend servers sent out the Backdoored Smart Slider 3 Pro Update.

Unknown cyber threats took advantage of the update system for the Smart Slider 3 Pro plugin in WordPress and Joomla This article explores plugin involved malware. . Any site that updated to 3.5.1.35 between its release on April 7, 2026, and detection about six hours later was open to a fully weaponized remote access toolkit.

Nextend stopped their update servers, got rid of the bad version, and started a full investigation into what happened. People who have the Trojan-infected version should update to version 3.4.36. Nextend's website says that the free version of the WordPress plugin is still working. The malware works in several stages to get deep, long-lasting, and redundant access.

It uses a multi-layered persistence toolkit with separate re-entry points, user hiding, reliable command execution with fallback chains, and automatic C2 registration with full credential exfiltration.

A trusted update mechanism lets in malicious code. The plugin that is involved is the malware payload. When the bad code is added, generic firewall rules, nonce verification, and role-based access controls no longer matter.

The "malware payload" is the part of the malware that can be downloaded from the infected computer's web browser. Then, it can be loaded onto the victim's computer as a harmful payload. The "Malware Packed" feature lets you add the payload to the victim's computer. Then, it is put into the user's "C:\Program Files (x86)" or "X86_64" as a malware payload.

After that, the plugin is used to put the malware on the target computer. A "Trojans" function then sends the bad code to the user.