Security news weekly round-up - 17th April 2026
Source: Dev.to
WordPress Plugin Backdoors
Someone planted backdoors in dozens of WordPress plug‑ins used in thousands of websites
Someone bought the Essential Plugin last year and added a backdoor to its source code. The backdoor remained dormant until earlier this month, when it activated and began distributing malicious code to any site with the plugin installed.
WordPress plug‑ins extend site functionality, but they also gain access to the installation, opening the site to malicious extensions and potential compromise.
Chrome Extensions Stealing User Data
100 Chrome Extensions Steal User Data, Create Backdoor
The 108 extensions span categories such as Telegram sidebar clients, slot‑machine and Keno games, YouTube and TikTok enhancers, a text‑translation tool, and page‑utility extensions. Each targets a different user type but shares the same backend.
While providing expected functionality to avoid suspicion, malicious code runs in the background, connects to the threat actor’s C&C server, and performs nefarious activities.
Signed Software Used to Deploy Antivirus‑Killing Scripts
Signed software abused to deploy antivirus‑killing scripts
The ClockRemoval.ps1 script executes at system boot, logon, and every 30 minutes. It removes AV products by stopping services, killing processes, deleting installation directories and registry entries, silently running vendors’ uninstallers, and forcefully deleting files when uninstallers fail.
It also blocks security‑product reinstall or update by modifying the hosts file to null‑route vendor domains (redirecting to 0.0.0.0).
Data‑Breach Alert Scams
That data breach alert might be a trap
Not all “data breach” alerts are legitimate; some are social‑engineering attacks. Real breaches occur daily, and ignoring a genuine notice can be as dangerous as clicking a fake one.
The goal is to stop reacting on autopilot and learn to distinguish genuine alerts from scams. Familiarizing yourself with data‑breach‑themed scams will improve preparedness for future inbox threats.
Microsoft Defender Zero‑Days
Three Microsoft Defender Zero‑Days Actively Exploited; Two Still Unpatched
Three vulnerabilities—codenamed BlueHammer, RedSun, and UnDefend—are being actively exploited.
- BlueHammer and RedSun are local privilege‑escalation flaws affecting Microsoft Defender.
- UnDefend can trigger a denial‑of‑service condition, effectively blocking definition updates.
The researcher released proof‑of‑concept code due to frustrations with Microsoft’s vulnerability‑disclosure process.
Cover photo by Debby Hudson on Unsplash.