TL;DR
Three supply chain attacks in June 2026 alone — a WordPress plugin vendor's build pipeline backdoored with CVSS 10.0 malware, 110 million credentials harvested from compromised FortiGate firewalls targeting SMBs, and 400+ open-source packages hijacked to steal developer secrets — show that your vendors' security failures are now your problem. If you're not auditing third-party software update channels and demanding evidence of build-pipeline integrity from every supplier, you're trusting blind.
The ShapedPlugin Backdoor: Your "Trusted" Plugin Update Is the Attack
On June 22, 2026, Wordfence revealed that multiple Pro plugins from ShapedPlugin — Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro — had been backdoored after attackers compromised the vendor's build and distribution pipeline. The malicious code was pushed through official licensed update channels, not some shady third-party site. Customers who paid for legitimate licenses and installed updates directly from the vendor received malware.
The backdoor was assigned CVE-2026-49777 with a CVSS score of 10.0 — maximum severity. Once activated, the compromised plugin fetched a remote payload, installed itself as a fake plugin hidden from the WordPress admin panel, and captured credentials in plaintext along with two-factor authentication codes. It also extracted the full contents of wp-config.php (database credentials, authentication keys), all administrator accounts, SMTP plugin credentials, and three months of WooCommerce order data including payment method breakdowns. Then it deleted itself to cover its tracks.
How bad was it? Any WooCommerce site running these Pro plugins had its database credentials, admin accounts, and customer payment data exposed. The attacker also established persistent access via web shells and custom REST endpoints.
How it could have been prevented: ShapedPlugin's build pipeline lacked integrity verification — no signed releases, no checksum validation on distributed packages. The vendor has since confirmed the incident and is reviewing distribution processes, but the damage is done for every site that already installed the poisoned updates.
What to do this week: Audit every WordPress plugin on your sites. Check if you're running Product Slider Pro (before v3.5.4), Real Testimonials Pro (v3.2.5), or Smart Post Show Pro (before v4.0.2). If so, reset all passwords, revoke and regenerate 2FA secrets, review admin accounts for unauthorised additions, and check SMTP configurations for modified credentials. Going forward, demand that any plugin vendor you rely on provides signed updates and publishes their build-pipeline security controls.
FortiBleed: 110 Million Credentials Stolen Through Your Firewall
Reported June 23, 2026 by SOCRadar, the FortiBleed campaign has been active since February 2026 and has targeted over 430,000 FortiGate firewalls globally. A Russian-speaking initial access broker deployed a custom Golang tool called FortigateSniffer onto compromised firewalls, which passively captures authentication traffic across 24 protocols — including Kerberos, RADIUS, SMB, LDAP, RDP, MS-SQL, MySQL, and PostgreSQL.
The numbers are staggering: 110 million credentials identified, including 14.8 million RADIUS credentials, 89 million MySQL authentication tokens, 924,000 NTLM hashes, and 130,000 Kerberos hashes. Attackers ran 659 credential-harvesting pipelines on May 31 and June 15 alone.
Critically for Australian SMBs: SOCRadar noted the campaign shows "a heavy focus on Small and Medium Businesses (SMBs) with fewer than 200 employees." The IT services sector is a key target because compromised service providers create access paths into customer environments — your MSP or IT consultant's firewall gets popped, and suddenly your entire network is exposed.
How bad was it? This isn't a single breach — it's a mass harvesting operation. Any business whose FortiGate firewall was compromised has had every authentication credential passing through that device captured. That includes credentials to your Active Directory, databases, VPN, email, and internal services.
How it could have been prevented: Disable administrative SSH access on internet-facing FortiGate firewalls. Enforce MFA on all admin panels. Restrict management interfaces to specific IP ranges. Patch FortiOS to the latest version. Monitor for unauthorised diagnostic command usage.
What to do this week: If you operate FortiGate firewalls, immediately check for signs of compromise — unauthorised SSH sessions, unexpected diagnostic sniffer processes, or unfamiliar scheduled tasks. Rotate all credentials that may have transited the device. Demand that your IT provider or MSP document their firewall hardening practices. If they can't, find a new provider.
Atomic Arch: 400+ Open-Source Packages Weaponised Against Developers
On June 12, 2026, Sonatype revealed that attackers had hijacked over 400 packages in the Arch User Repository (AUR) by adopting abandoned packages whose maintainers had walked away. They rewrote the build scripts to execute a malicious npm package called atomic-lockfile during installation, which deployed a Rust-based credential stealer.
The malware targeted developer workstations and build systems specifically, harvesting: browser cookies and tokens from Chromium-based browsers, session data from Slack/Discord/Teams, GitHub and npm tokens, SSH keys, Docker credentials, and OpenAI API keys. Stolen data was exfiltrated over HTTP to temp.sh with command-and-control through a Tor onion service. With root access, it could also load an eBPF rootkit to hide itself from detection tools.
How bad was it? Any developer who built or updated an affected AUR package on or after June 11 potentially had their credentials stolen. Those credentials include access to source code repositories, CI/CD pipelines, cloud infrastructure, and API keys — the keys to your entire digital kingdom.
How it could have been prevented: The AUR trust model allows anyone to adopt orphaned packages. There's no verification that the new maintainer is who they claim to be, and the spoofed git metadata made changes appear to come from long-standing maintainers. This is a systemic trust failure, not a software bug.
What to do this week: Inventory every third-party and open-source dependency your developers install. If anyone on your team uses Arch Linux with AUR packages, audit their recent installs against the affected-package lists. More broadly: enforce dependency pinning with checksums, use private package registries with approval workflows, and rotate any developer credentials that may have been exposed. Treat open-source packages as third-party vendors — because they are.
ISO 27001 SMB Starter Pack — $147
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →What to Demand From Every Vendor This Week
The pattern across all three attacks is identical: the trust signal was the attack vector. ShapedPlugin customers trusted the official update channel. FortiGate owners trusted their firewall vendor's defaults. AUR users trusted package names and maintainer history. In every case, that trust was exploited.
Here's what you should be putting in your vendor contracts and security questionnaires:
- Signed updates with checksum verification — every software vendor must cryptographically sign releases. If they can't, ask why.
- Build-pipeline security documentation — demand evidence of how their build and distribution process is secured. CI/CD pipelines are now primary attack targets.
- Breach notification timelines — your contracts should require notification within 72 hours of a security incident, not "as soon as commercially reasonable."
- Right to audit — for critical vendors, you need contractual rights to review their security posture, not just take their word for it.
- Dependency transparency — vendors should disclose their own third-party dependencies. You can't assess supply chain risk if you can't see the chain.
FAQ
Q: My business is too small to be a supply chain target — should I worry? A: The FortiBleed campaign explicitly targeted SMBs with fewer than 200 employees. Attackers target small businesses precisely because they often lack the security resources of larger organisations. If you use WordPress, Fortinet firewalls, or any third-party software (you do), you're in the blast radius.
Q: How do I know if my WordPress site was affected by the ShapedPlugin attack? A: Check your installed plugins for Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro. If installed, check the version numbers against the patched versions (3.5.4, 3.2.6, and 4.0.2 respectively). Look for unfamiliar plugins in your directory, modified SMTP credentials, or new admin accounts. Run a security scan using Wordfence or similar.
Q: What's the minimum vendor security requirement I should enforce? A: At minimum: signed software updates, documented incident response procedures with 72-hour notification, MFA on all vendor administrative access to your systems, and a current SOC 2 or ISO 27001 certification (or equivalent). For software vendors specifically, require SBOM (Software Bill of Materials) disclosure.
Q: Should we stop using open-source packages? A: No — but treat them as vendor relationships. Pin versions, verify checksums, use private registries with approval workflows, and monitor for maintainer changes. The Atomic Arch attack worked because no one noticed that 400 package maintainers had been replaced overnight.
Conclusion
Supply chain attacks work because they exploit trust you've already extended. The ShapedPlugin backdoor, FortiBleed credential harvesting, and Atomic Arch package hijacking all happened in June 2026 — and they're not anomalies, they're the trajectory. Every third-party tool, plugin, package, and managed service provider in your stack is a potential entry point.
Your action items this week: audit your WordPress plugins, check your firewall hardening, inventory your open-source dependencies, and send your critical vendors a security questionnaire asking the five questions above. If a vendor can't answer them, you have a decision to make.
Don't wait for your vendor's breach to become your breach. Visit consult.lil.business for a free cybersecurity assessment — we'll map your third-party risk exposure and give you a prioritised action plan.
References
- ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack — The Hacker News
- FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation — The Hacker News
- Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit — The Hacker News
- NIST Cybersecurity Supply Chain Risk Management (C-SCRM)
- Australian Cyber Security Centre — Supply Chain Security Guidance
Verifier warning: verifier could not run (PluginLlmTrustError).
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- A popular AI tool called Langflow had a security flaw — like leaving a factory door unlocked
- Bad guys found the open door and walked in within 20 hours of it being discovered
- They could steal keys, passwords, and data from businesses using this tool
- The lesson: AI tools need strong locks, just like your house or office does
What Happened?
Imagine you build a factory that makes robots. The robots are supposed to help businesses do work — answer questions, process paperwork, and automate tasks.
Now imagine you forget to lock the factory's front door. Anyone can walk in, mess with your robots, and even reprogram them to do bad things.
That's what happened with Langflow.
What Is Langflow?
Langflow is a tool that helps people build AI-powered robots (called "agents" or "workflows") without writing computer code. It's like using Lego blocks to build something — you drag and drop pieces to create an AI that can:
- Answer customer questions
- Read and organize documents
- Send automated emails
- Process data
Lots of businesses use Langflow or tools like it to make their work faster and easier.
The Unlocked Door
Langflow had a big security mistake. One of its entrances — a special door called an "API endpoint" — was supposed to show public AI workflows to visitors.
But this door had a problem:
- It didn't check who was knocking (no authentication)
- It would accept any instructions visitors gave it
- It would run those instructions immediately without asking questions
This is like a door that not only unlocks itself, but also hands over the keys to anyone who asks.
What Bad Guys Did
On March 17, 2026, security researchers told everyone about this unlocked door. They thought: "Now people can fix it!"
But bad guys thought: "Now we know where the open door is!"
Within 20 hours — less than a day — attackers were:
- Scanning the internet for Langflow installations
- Walking through the unlocked door
- Stealing passwords, keys, and data
- Leaving backdoors to come back later
Twenty hours is incredibly fast. Most businesses take weeks just to read security advisories. These attackers acted before most people even knew there was a problem.
What They Could Steal
When someone walks through an unlocked door in a computer system, they can take:
- Passwords and keys: Like stealing the keys to every room in a building
- Secret data: Customer information, business documents, financial records
- Access to other systems: Using one unlocked door to reach connected systems
- Control over the robots: Reprogramming AI agents to do whatever the attacker wants
It's not just one computer at risk. It's everything connected to it.
Why This Matters to You (Even If You Don't Use Langflow)
You might be thinking: "I don't use Langflow. Why should I care?"
Here's why:
1. You Might Be Using It Without Knowing
Lots of companies sell AI tools and services. They might use Langflow inside their products without telling you. It's like buying a car and not knowing what brand of engine is inside.
If you've:
- Hired an AI consultant
- Bought AI-powered software
- Used chatbots or automation tools
...you might be using Langflow or tools like it.
2. The Same Problem Exists Everywhere
Langflow isn't the only AI tool with security issues. The same mistake — forgetting to lock doors and check who's knocking — happens all the time in AI software.
3. AI Tools Are the New Factories
As businesses use more AI, they're building more "robot factories." If those factories don't have good locks, alarms, and security guards, they become easy targets.
What You Can Do
If You Have AI Tools
- Ask questions: Find out what AI tools your business uses
- Check for updates: Make sure all AI software is updated to the latest version
- Change passwords: If you used an old version of Langflow, change all your passwords and keys
- Watch for weird stuff: If your AI tools start acting strangely, tell someone
If You're Buying AI Services
- Ask about security: "What do you do to keep your AI tools safe?"
- Demand updates: "How quickly do you fix security problems?"
- Check their reputation: Work with companies that take security seriously
For Everyone
- Treat AI tools like important equipment: You wouldn't leave your office door unlocked or give your house keys to strangers. Don't do it with AI tools either.
- Use security experts: Just like you hire a locksmith for your doors, hire cybersecurity experts for your AI systems.
The Lesson
The Langflow hack teaches us something simple:
When you build something powerful, you need to protect it.
AI tools are powerful. They can see your data, control your systems, and make decisions for your business. That makes them valuable — and valuable things need strong security.
Twenty hours is all it took for attackers to exploit a mistake. In the AI world, speed matters. Security needs to be built in from the start, not added later.
FAQ
Langflow is a tool for building AI-powered robots and workflows without writing code. It's like using Lego blocks to create AI assistants that can help with business tasks.
Langflow had an "unlocked door" — a security flaw that let anyone send commands to its systems without proving who they were. This is called an "unauthenticated remote code execution" vulnerability.
Attackers found and started exploiting the flaw within 20 hours of it being publicly announced. That's less than one day.
You might be using it indirectly through other AI tools or services. Also, the same security mistakes happen in other AI software. Understanding this helps you ask better questions about AI security.
Update AI tools regularly, ask vendors about their security practices, change passwords after vulnerabilities are discovered, and work with cybersecurity experts who understand AI.
Treat AI tools like important business equipment. Ask about security before buying AI services. Update everything promptly. Watch for strange behavior in your AI systems. Partner with security experts who understand AI infrastructure.
References
[1] Langflow Project, "Langflow - Visual AI Workflow Builder," GitHub, 2026. [Online]. Available: https://github.com/langflow-ai/langflow
[2] Sysdig Research Team, "CVE-2026-33017: How Attackers Compromised Langflow AI Pipelines in 20 Hours," Sysdig Blog, Mar. 2026. [Online]. Available: https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours
[3] The Hacker News, "Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure," The Hacker News, Mar. 2026. [Online]. Available: https://thehackernews.com/2026/03/critical-langflow-flaw-cve-2026-33017.html
[4] A. Srivastava, "How I Found CVE-2026-33017," Medium, Mar. 2026. [Online]. Available: https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896
[5] Tenable, "CVE-2026-33017," Tenable Vulnerability Database, Mar. 2026. [Online]. Available: https://www.tenable.com/cve/CVE-2026-33017
Building AI tools for your business? Make sure they're secure from day one. Talk to lilMONSTER about AI security that protects what you've built. Learn more →
