Oh Great, Your WooCommerce Site Is Now a Full-Time Job for Hackers: Malware Disguised as Plugins Is Here to Stay

A new malware campaign is targeting WordPress and WooCommerce sites with highly obfuscated skimmers designed to steal credit card details and login credentials.

The malware operates through a modular architecture, enabling attackers to deploy specific variants for payment data theft, admin credential harvesting, and even injecting fake ads.

With anti-analysis tricks straight out of a cyber-espionage playbook, the malware detects browser developer tools and uses console manipulation to avoid getting caught.

The threat has been active since at least September 2023, showing signs of continual development and an evolving attack infrastructure.

Wordfence stumbled upon the malware during a site cleanup in May 2025, revealing over 20 samples built on a shared, customizable framework.

The malware evades detection by triggering only in specific parts of a website, using cookies to identify admins and hide its presence from casual inspection.

In a bold twist, the malware disguises itself as a rogue WordPress plugin, giving hackers backend access and turning infected sites into remote-controlled launchpads.

Its advanced evasion methods include crashing browsers during debugging, deploying infinite loops, and rebinding console functions to disable JavaScript inspection tools.

With this level of stealth and innovation, the malware marks a disturbing evolution in cyberattacks against small businesses and online shops.