A supply chain compromise of the Smart Slider 3 Pro update channel pushed a trojanized build (v3.5.1.35) to over 900,000 WordPress sites and an unknown number of Joomla installations during the April 7, 2026 compromise window. The malicious build installs a multi-capability backdoor including unauthenticated RCE, hidden admin account creation, web shell deployment, and mu-plugin persistence that survives standard remediation. Any site that auto-updated during the compromise window must be treated as fully compromised; restore from a pre-April 7 backup after forensic review and update to the vendor-released clean build.