Hackers Compromised ILSpy WordPress Domain to Deliver Malware

After threat actors used the ILSpy WordPress domain on April 6, 2026, a new supply chain attack went after developers. Instead of giving visitors real software, the hacked website sent them to a bad page with malware. RootSuccess, an independent security researcher, first recorded the attack on video and told vx-underground about it.

They then sent out a public alert at 1:22 AM EST. The hacked ILSpY WordPress site went offline not long after it started to get attention on social media. The domain is currently giving a 502 Bad Gateway error, which stops more infections from happening. This event highlights a growing trend in cybersecurity, with developers being the main target.

Developers can protect themselves from similar watering hole and supply chain attacks by taking a few simple steps: Before you start downloading software, always check the final URL. If a website doesn't ask you to, don't install any unexpected browser extensions. Whenever you can, bookmark and download tools directly from official, verified source code repositories like GitHub.

Experts say that for software developers, it could mean accidentally giving remote threat actors access to the company's source code, internal networks, or cloud infrastructure credentials. It is a bait-and-switch tactic that takes advantage of developers' trust in official domains. Browser extensions may seem less harmful than regular executable files, but they are actually very dangerous for security. Once installed, bad extensions can secretly steal session cookies, read typed passwords, and keep an eye on web traffic.