The Risk You Can See
WordPress has 18,005 CVEs in the National Vulnerability Database. 387 critical. 23 in CISA's Known Exploited Vulnerabilities catalog. But June 2026 rewrote the scale. Six CVSS 9.8 vulnerabilities — all actively exploited — hit simultaneously: Kirki (500K sites, admin account takeover), Burst Statistics (200K sites, authentication bypass), WP Maps Pro (hardcoded admin backdoor), Everest Forms Pro (unauthenticated RCE via PHP eval, added to CISA KEV June 5), Motors Theme (mass exploitation began June 7, 23,000+ attempts blocked), and Breeze Cache by Cloudways (400K sites, arbitrary file upload to RCE).
Total exposed surface in a single month: over 1.14 million WordPress installations at critical risk. Not theoretical. Wordfence blocked 29,300+ Everest Forms attacks, 7,400+ Burst Statistics attacks, and 3,600+ WP Maps Pro attacks — per day. Then Gravity Forms — a premium, paid plugin — was itself supply-chain compromised: malicious code injected into common.php, creating admin backdoor accounts on every affected site.
This is the risk you can count. Every CVE has a number, a severity score, a patch timeline. It's bad — but it's visible. You can audit it, report it, budget for it. The Patchstack 2026 report puts it in perspective: 11,334 new WordPress vulnerabilities in 2025, a 42% increase year-over-year. Median time from disclosure to first exploitation: 5 hours. 46% of vulnerabilities had no patch available at time of disclosure.
The Risk You Can't See
The npm ecosystem — which powers React, Next.js, Angular, Vue, Nuxt, Astro, and every JavaScript framework — had a different kind of year. Over 30 documented supply chain attacks in the first six months of 2026. Not vulnerability disclosures. Active attacks. Trojanized packages. Self-replicating worms. Nation-state operations. And in June, the worm jumped ecosystems.
IronWorm: 50+ legitimate npm packages trojanized with a Rust-based stealer and eBPF kernel rootkit. Miasma: 32 packages under @redhat-cloud-services — Red Hat's official npm scope — compromised with 90+ malicious versions, credential-stealing worm targeting GitHub, npm, AWS, Azure, and GCP tokens. The attackers forged SLSA provenance attestations — the supply chain integrity standard designed to prevent exactly this. Axios — downloaded 40 million times per week — compromised by North Korean group UNC1069 through social engineering. Bitwarden CLI hijacked via GitHub Actions. TanStack infected, hitting OpenAI employee devices.
Then Miasma evolved. On June 3, Wave 2 introduced 'Phantom Gyp' — a 157-byte binding.gyp file that bypasses every lifecycle script scanner. 57 more packages fell, including @vapi-ai/server-sdk (408K monthly downloads). On June 5, the worm pivoted from registries to IDE targeting — planting .mcp.json files in Azure repos that execute when developers open the project in Claude Code or Cursor. GitHub disabled 73 Microsoft repositories in 105 seconds. On June 7, the Shai-Hulud family crossed to PyPI: 37 malicious Python wheels targeting bioinformatics tools. Total campaign artifacts across all ecosystems: 448.
None of these show up as framework CVEs. npm audit doesn't catch a package whose maintainer account was socially engineered by a nation-state. Your lockfile pins the exact version that contains the trojan. The risk is invisible by design.
Three Supply Chains, Three Threat Models
WordPress plugins, npm packages, and now PyPI wheels are all supply chains. They fail in fundamentally different ways.
WordPress plugins fail through known vulnerabilities — disclosed CVEs with severity scores and patch timelines. The attack surface is your production server. The window is the gap between disclosure and patching — 5 hours median before first exploitation. Government WordPress sites take 45-90 days to patch. Every day in that window is documented exposure. June 2026 proved the failure can be industrial: six CVSS 9.8 vulnerabilities exploited at the same time.
npm packages fail through supply chain compromise — trojanized code that executes during installation, before your application even runs. The attack surface is your development machine, your CI/CD pipeline, your cloud credentials. The window is invisible — you don't know you're compromised until the damage is done. In June 2026, Miasma proved the worm can also skip npm entirely and target your IDE through poisoned repository configs.
PyPI is the new front. The Hades wave (June 7, 2026) showed Shai-Hulud crossing from npm to Python — 37 malicious wheels targeting scientific and data tools. Django, Flask, and FastAPI all depend on pip. The 'historically less targeted' qualifier for Python is no longer accurate.
What WebPulse Data Shows
Of the 466,000+ sites WebPulse has scanned, the majority run on frameworks that depend on one of these two supply chains. WordPress sites depend on the plugin supply chain. Next.js, React, Angular, Vue, Nuxt, and Astro sites depend on the npm supply chain. Django, Flask, and FastAPI sites depend on pip — historically less targeted, but the dYdX attack in February 2026 showed that's changing.
Hugo stands alone. Compiled Go binary. Zero npm runtime dependencies. Zero plugins. Zero supply chain attacks in its history. For content sites, this isn't a tradeoff — it's an exit from both broken supply chains entirely.
What This Means for Executives
If you're running WordPress: your risk is visible, catalogued, and growing at 4,200+ new CVEs per year. You can budget for it and staff for it. Many organizations do. The cost is real but predictable.
If you migrated to a JavaScript framework: you traded visible risk for invisible risk. Your framework probably doesn't have many CVEs. Your node_modules folder has 800+ dependencies, any of which could be the next IronWorm target. Your CI/CD pipeline — the thing that deploys your site — is the new attack surface.
If you're choosing a framework today: the supply chain risk profile should be part of the decision. Not just 'how many CVEs does this framework have?' but 'how deep is the dependency tree I'm trusting with my infrastructure?'
