Hackers Buy WordPress Plugins, Inject Malware
Eight months ago, a hacker secretly gained access to over 30 WordPress plugins. This went unnoticed until recently. These plugins, used for simple website updates, were turned into malware through a sophisticated supply chain attack.
One moment, a plugin might be helping a website sell products. The next, it could be stealing data or leaking private information.
WordPress is the most popular website builder globally, but its plugin system has long been seen as a security risk. A new project from Cloudflare aims to offer an alternative.
The Attack: Not a Code Flaw, But a Purchase
This recent attack on 31 WordPress plugins was not caused by bad coding. Instead, the attacker legitimately bought control of the plugins. They purchased them from the original developers on a platform called Flippa for an estimated six-figure sum.
After the sale, the new owner added a backdoor into the code. This backdoor remained hidden for about eight months.
Then, it activated, contacting a remote server to download more malicious software. In some cases, it even changed critical files like wp-config.php, which contains sensitive data such as database login details and security keys.
A Clever Command and Control System
Interestingly, the command and control server for this attack was managed through an Ethereum smart contract. This allowed the attacker to quickly change the server’s address if needed. This method bypassed typical security checks because the malicious code was delivered through what appeared to be a normal plugin update from a trusted source.
WordPress has since removed the affected plugins. However, the damage had already been done. This incident turned a routine update into a major security breach, compromising websites through their own trusted software.
Cloudflare’s Mdash: A New Approach to Plugins
For those concerned about WordPress security, Cloudflare has developed a new project called Mdash. This project aims to replace older PHP code with AI-written JavaScript code. Mdash does not use any original WordPress code and is open-source, but it is designed to work with existing WordPress features.
Mdash is built on the Astro project for its content management system. Its key innovation is how it handles plugins.
Instead of giving plugins full access, Mdash runs each one in a secure, isolated environment called a sandbox. This means plugins can only access specific data and functions if they explicitly ask for them and are granted permission.
Will Mdash Replace WordPress?
While Mdash offers a more secure way to handle website extensions, it is unlikely to completely replace WordPress anytime soon. However, the rapid development of new projects like Mdash shows how quickly developers can create alternatives to established systems.
This speed is partly enabled by modern AI coding tools. Tools like Warp can help developers manage multiple AI coding assistants. This allows them to group coding sessions, track project status, and receive notifications when their attention is needed.
Warp’s universal agent support turns your terminal into a command center for these AI tools. Features like vertical tabs help organize different coding sessions, and tab configurations let you save and reopen your preferred setups. This makes it easier to work with complex coding projects and multiple AI agents simultaneously.
Why This Matters
This incident highlights a significant vulnerability in how software updates are handled. When developers sell their plugins, new owners can introduce malicious code disguised as legitimate updates. This supply chain attack method is particularly dangerous because it bypasses user suspicion.
The success of such attacks means website owners could unknowingly install malware. This can lead to data theft, website defacement, and loss of sensitive information. The reliance on third-party plugins, while powerful, creates a broad attack surface for malicious actors.
Cloudflare’s Mdash project offers a potential solution by rethinking how plugins are isolated and managed. By sandboxing each plugin, it limits the potential damage if one is compromised. This approach could pave the way for more secure web development practices in the future.
The rapid development of AI coding tools also speeds up the creation of new, potentially more secure, web technologies. While WordPress remains dominant, the emergence of projects like Mdash and the tools that enable their creation suggest a dynamic future for web development.
Source: A rich hacker just penetrated 31 WordPress plugins… (YouTube)
