Hackers Compromised ILSpy WordPress Domain to Deliver Malware

Developers are the target of a new supply chain attack after threat actors compromised the official WordPress domain for ILSpy on April 6, 2026. Rather than providing legitimate software, the hijacked website began redirecting visitors to a malicious webpage designed to deliver malware.

Normally, clicking the download button on the ILSpy website sends users directly to the project’s official GitHub repository.

During this compromise, attackers altered the site’s underlying links. Users looking to download the developer tool were unexpectedly routed to a third-party domain.

Once on this malicious page, visitors received a prompt instructing them to install a specific browser extension to continue their download.

This is a classic bait-and-switch tactic. By exploiting the trust developers place in the official ILSpy domain name, the attackers successfully tricked victims into dropping their guard and bypassing normal security checks.

While browser extensions might seem less dangerous than traditional executable files, they pose a severe security risk.

ILSpy WordPress Domain Delivers Malware

Once installed, malicious extensions can act as powerful spyware. They can silently steal session cookies, capture typed passwords, and monitor web traffic.

For a software developer, this could mean accidentally exposing their company’s source code, internal networks, or cloud infrastructure credentials to remote threat actors.

An independent security researcher known as RootSuccess first captured the attack on video and reported it to vx-underground, which issued a public alert around 1:22 AM EST.

Shortly after the disclosure gained traction on social media, the compromised ILSpy WordPress site was taken offline. As of this writing, the domain is returning a 502 Bad Gateway error, effectively preventing further infections.

Security researchers are currently analyzing the malicious browser extension to extract Indicators of Compromise (IoCs) and understand the full technical scope of the payload.

This incident highlights an escalating trend in the cybersecurity landscape, and developers are the ultimate target.

While the security community often focuses on poisoned npm packages or malicious Python libraries, this attack proves that traditional web vulnerabilities remain highly effective entry points.

A simple WordPress compromise allowed hackers to intercept the software supply chain at the point of download. Security experts point out that the predictable nature of the attack, exploiting content management systems to set up redirect chains, is an old tactic.

However, pairing it with trusted developer tools creates a highly effective trap. To protect against similar watering hole and supply chain attacks, developers should adopt a few simple precautions:

• Always verify the final URL before initiating a software download.
• Never install unexpected browser extensions, especially if a website claims they are “required” to download a standard file.
• Bookmark and download tools directly from official, verified source code repositories like GitHub whenever possible.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.