Supply‑Chain Compromise: Threat Actor Purchases 30 WordPress Plugins, Plants Backdoors Across All Packages
What Happened — Researchers discovered that a malicious actor bought a bulk portfolio of 30 popular WordPress plugins from a third‑party marketplace, injected a hidden backdoor into each, and republished them to the official WordPress plugin repository. The backdoor grants remote command‑and‑control (C2) access to any site that installs the compromised plugins.
Why It Matters for TPRM —
- Third‑party software used by vendors can become a conduit for credential theft and data exfiltration.
- Compromised plugins affect thousands of downstream customers, expanding the attack surface of any organization that relies on them.
- Supply‑chain attacks are difficult to detect with traditional endpoint controls, requiring enhanced vendor vetting and continuous monitoring.
Who Is Affected — Web‑hosting providers, SaaS platforms, e‑commerce sites, and any organization that uses WordPress plugins (primarily TECH_SAAS and RETAIL_ECOM sectors).
Recommended Actions —
- Conduct an immediate inventory of all WordPress plugins in use and verify their provenance.
- Remove or replace any of the 30 identified plugins; apply integrity checks (hash verification) on remaining plugins.
- Strengthen vendor risk assessments to include supply‑chain security questionnaires and periodic code‑review audits.
Technical Notes — The attacker leveraged a legitimate purchase channel to obtain the plugins, then used automated script injection to embed a PHP backdoor that communicates with a C2 server via HTTP POST. No public CVE is associated; the threat is a supply‑chain compromise. Affected data includes site admin credentials, session cookies, and potentially customer PII stored by the compromised sites. Source: Security Affairs Malware Newsletter Round 93