Uncanny Automator Breach: Backdoored Plugin Build Hit WordPress Sites

A serious Uncanny Automator breach has exposed customer data and pushed a malicious plugin update to live WordPress sites. The plugin’s maker, Uncanny Owl, confirmed the incident in a public notice. In short, attackers turned a trusted update channel into a delivery system for malware.

How the attack unfolded

The trouble began on June 12, 2026. According to co-founder Ken, an attacker exploited a flaw in third-party software running on automatorplugin.com. From there, they reached part of the company’s infrastructure.

Next, the attacker did two damaging things. First, they tampered with the Pro update package on the distribution server. Second, they broke into the store and licensing database. Importantly, attackers never touched the plugin’s source code repository.

A backdoored update reached real sites

The most alarming part involves the software supply chain. The attacker swapped the legitimate Pro download for a backdoored build labeled version 7.3.0.5. As a result, sites checking for updates pulled a poisoned copy.

The company was blunt about the danger. Its notice warns that “a site running the compromised version contains malware and a backdoor and should be treated as compromised.”

Fortunately, the spread stayed limited. The tampered build reached fewer than 6% of sites during a roughly 21-hour window. The free Uncanny Automator Lite escaped the attack entirely.

What data was exposed

This Uncanny Automator breach also counts as a personal-data breach. The attacker accessed the licensing database and pulled customer records. Specifically, exposed details include names, email addresses, license keys, and associated website URLs.

There is some reassurance, however. The attacker took no payment data, because the company does not store card numbers. Likewise, the system held passwords only as cryptographic hashes, never as plain text. Even so, the team reset every account password as a precaution.

The cleanup

Uncanny Owl moved quickly once it spotted the intrusion. The team removed the attacker’s access on June 13 and published a verified-clean 7.3.0.6 release. By June 14, it had finished investigating and found no signs of reinfection.

The responders also scrubbed the backdoor’s footprint. That work included deleting rogue administrator accounts, malicious database entries, and scheduled tasks. In addition, they rotated exposed credentials and keys.

Why the risk is not over

Unfortunately, securing the company’s systems does not erase every threat. For one, phishing remains a live danger. Because emails and purchase details leaked, customers may receive convincing fake “update” messages.

The malicious build is also still loose. The notice cautions that “installing a 7.3.0.5 build from any source will still infect a site.” Therefore, never trust that version, wherever it appears.

Finally, already-infected sites need real cleanup. An in-place update will not fix them, so affected owners must follow the full remediation steps.

What you should do

Act now. Confirm your plugin shows version 7.3.0.6 and not 7.3.0.5. Then reset your account password through official channels only.

You can read the complete Uncanny Automator security incident notice for full details and indicators of compromise. Above all, treat any surprise “urgent update” email with suspicion.