An attacker purchased 30+ WordPress plugins (the Essential Plugin portfolio) on Flippa for a six-figure sum, injected a PHP deserialization backdoor in August 2025, and activated it eight months later to serve cloaked SEO spam exclusively to Googlebot. The payload used an Ethereum smart contract for C2 infrastructure to resist takedown and injected code into wp-config.php. WordPress.org closed 31 plugins on 7 April 2026, but sites already compromised require manual remediation. The same week, Smart Slider 3 Pro (800,000+ installs) was separately hit via its update infrastructure. Both attacks expose a structural gap: WordPress has no ownership-transfer code review, no code-signing for updates, and no mandatory 2FA for developers — unlike npm and PyPI, which adopted supply chain safeguards after similar incidents.
Sort: