"An attacker purchased the entire Essential Plugin portfolio, over 30 WordPress plugins with a combined 400,000 installations, for a six-figure sum on the digital marketplace Flippa. The buyer's very first code commit was a PHP deserialization backdoor."
"The attack pattern is not WordPress-specific. It exploits a structural weakness shared by every package ecosystem where maintainership can be transferred: npm, PyPI, browser extension stores, and the VS Code marketplace all face the same risk."
"In 2018, the event-stream npm package was handed over to a new maintainer who embedded code to steal Bitcoin wallets. It had millions of weekly downloads before anyone noticed."
"If you move off WordPress onto a React/Next.js stack, you're now trusting hundreds of npm packages, many maintained by a single unpaid volunteer."
An attacker acquired over 30 WordPress plugins, injecting a backdoor that activated after eight months, compromising 400,000 installations. This incident highlights a broader vulnerability in software ecosystems where maintainership can be transferred. The attacker inherited commit access and trust without additional code review. Similar past incidents, like the event-stream npm package and XZ Utils backdoor, demonstrate a consistent pattern of building trust before executing attacks. The risk persists across various platforms, including npm and browser extension stores, not just WordPress.
#supply-chain-attacks #wordpress-security #malicious-code-injection #software-ecosystem-vulnerabilities #open-source-risks
Read at InfoQ
Unable to calculate read time
Collection
[
|
...
]