Coding4Food LogoCoding4Food
HomeCategoriesArcadeBookmarks
vi
HomeCategoriesArcadeBookmarks
Coding4Food LogoCoding4Food
HomeCategoriesArcadeBookmarks
Privacy|Terms

© 2026 Coding4Food. Written by devs, for devs.

All news
TechnologyIT Drama

Someone Bought 30 WordPress Plugins Just to Plant a Backdoor: The Ultimate Supply-Chain Heist

April 14, 20263 min read

A threat actor bought 30 abandoned WordPress plugins, injected a backdoor, and pushed malicious updates to thousands of sites. Check your WP admins now!

Share this post:
icon, icons, wordpress, sites, website, web design, design, construction sites, icons wordpress, wordpress, wordpress, wordpress, wordpress, wordpress
Nguồn gốc: https://coding4food.com/post/hacker-buys-30-wordpress-plugins-plants-backdoor. Nội dung thuộc bản quyền Coding4Food. Original source: https://coding4food.com/post/hacker-buys-30-wordpress-plugins-plants-backdoor. Content is property of Coding4Food. This content was scraped without permission from https://coding4food.com/post/hacker-buys-30-wordpress-plugins-plants-backdoorNguồn gốc: https://coding4food.com/post/hacker-buys-30-wordpress-plugins-plants-backdoor. Nội dung thuộc bản quyền Coding4Food. Original source: https://coding4food.com/post/hacker-buys-30-wordpress-plugins-plants-backdoor. Content is property of Coding4Food. This content was scraped without permission from https://coding4food.com/post/hacker-buys-30-wordpress-plugins-plants-backdoor
Nguồn gốc: https://coding4food.com/post/hacker-buys-30-wordpress-plugins-plants-backdoor. Nội dung thuộc bản quyền Coding4Food. Original source: https://coding4food.com/post/hacker-buys-30-wordpress-plugins-plants-backdoor. Content is property of Coding4Food. This content was scraped without permission from https://coding4food.com/post/hacker-buys-30-wordpress-plugins-plants-backdoorNguồn gốc: https://coding4food.com/post/hacker-buys-30-wordpress-plugins-plants-backdoor. Nội dung thuộc bản quyền Coding4Food. Original source: https://coding4food.com/post/hacker-buys-30-wordpress-plugins-plants-backdoor. Content is property of Coding4Food. This content was scraped without permission from https://coding4food.com/post/hacker-buys-30-wordpress-plugins-plants-backdoor
wordpressplugin backdoorsupply chain attackhackerdrama it
Share this post:

Bình luận

Related posts

work, computer, apple, business, office, desk, technology, pen, phone, smartphone, workstation, blog, blogging, table, book, mouse, computer, apple, apple, apple, business, office, office, office, desk, blog, blog, blog, blog, blog, blogging, blogging, book
IT DramaTechnology

Lean Startup Godfather Eric Ries Drops Truth Bombs on Corporate Greed and Gets Roasted by AI Drama

Eric Ries returns to HN to promote his new book 'Incorruptible', introducing 'financial gravity' while getting roasted over his Claude Code generated site.

Jun 113 min read
Read more →
euro, europe, rocket, nature, prices, price increase, clouds, heaven, strip, aviator, finance, money, currency, inflation, economic crisis, energy crisis, energy saving, market economy, cost, development, stock exchange
TechnologyIT Drama

S&P 500 Slams the Door on SpaceX & AI Giants: Cash is King, Hype is Dead

The S&P 500 committee rejected SpaceX's fast-track and blocked unprofitable AI giants like OpenAI and Anthropic. Read the full drama and tech reactions here!

Jun 63 min read
Read more →
printed circuit board, circuit board, electronics, circuit, computer chip, microchip
IT DramaTechnology

PR Nightmare 101: Flux.ai Sends Legal Goons After Open-Source Darling Adafruit

VC-backed startup Flux.ai thought sending a legal demand letter to Adafruit was a big brain move. Spoiler alert: The internet is now roasting them alive.

Jun 32 min read
Read more →
robot, technology, universe, galaxy, system, robotic, matrix, code, programming, ai generated, coding, computer, hacker, binary, fantasy
IT DramaTechnology

The Goofiest Instagram Exploit: Hackers Sweet-Talked Meta's AI Bot into Handing Over Accounts

Meta got clowned by the silliest exploit in history. Hackers literally gaslit an AI support bot into transferring Instagram accounts without writing a single line of code.

Jun 22 min read
Read more →
code, coding, computer, data, developing, development, ethernet, html, programmer, programming, screen, software, technology, work, code, code, coding, coding, coding, coding, coding, computer, computer, computer, computer, data, programming, programming, programming, software, software, technology, technology, technology, technology
Dev LifeIT Drama

"LLMs Are Eating My Career" - A Dev's Existential Crisis on Hacker News

A trending Hacker News post reveals mid-career panic as devs feel LLMs are taking over. Are AI tools ending software engineering or just evolving it?

Jun 73 min read
Read more →
graphic, poop, frozen poop, poop emoji, emoji, smiley, poo, crap, emoticon, funny, frozen, ice, winter, laugh, smile, happy, emotion, face
AI & AutomationTechnology

Turning AI into 💩: The Ultimate Troll Extension Slapping Tech's Biggest Hype

A new Chrome Extension literally replaces 'AI' with 💩. It's hilarious, but the underlying roast of the tech industry's forced AI trend is brutally honest.

Jun 33 min read
Read more →

Sup, fellow code monkeys. If you're currently maintaining any WordPress sites, you might want to check your pulse—and your plugins. We just witnessed a masterclass in supply-chain attacks that has the dev community sweating bullets: Some big-brain threat actor quietly bought up 30 WP plugins and slipped a backdoor into all of them.

The Grand Plugin Heist: How to Zombify Thousands of Sites

Devs love taking shortcuts. Why write custom code when there's a WP plugin that does it? Hackers know this, and they've weaponized our laziness in the most pragmatic way possible:

  • Instead of brute-forcing passwords or trying to DDoS a hosting environment, the attacker used cold, hard cash. They approached the original developers of 30 neglected but active plugins and bought the repositories outright.
  • Once they legally owned the code, the new "owner" casually injected a highly obfuscated backdoor into the next version update.
  • Unsuspecting site admins saw the update notification and blindly clicked "Update All". Boom. Game over.
  • The payload? It allows the attacker to create rogue admin accounts, inject SEO spam, or route malicious traffic through your site like they are using a top-tier Proxy network.

Hacker News Goes Wild: Panic, Blame, and "I Told You So"

When the news dropped on HN, the community immediately split into a few distinct camps:

  • The Panic Crew: Dashing to their SSH terminals to aggressively audit their wp-content/plugins directory. Lots of "Wait, why is my CPU at 100%?" moments.
  • The Angry Mob: Roasting the WordPress plugin ecosystem. How is the ownership transfer process so frictionless? Why isn't there a mandatory security audit when a repo with 50k+ installs changes hands?
  • The WP Haters: The usual suspects came out of the woodwork to claim WP is a "dumpster fire" and "this is why static site generators are the only way."
  • The Reluctant Admirers: Some folks couldn't help but respect the hustle. Spending a few grand to acquire legit repos to gain root access to thousands of domains is a terrifyingly high-ROI business model.

C4F Takeaway: Trust No One, Not Even Your Pagination Plugin

Let's be real—this isn't just a WordPress problem. This is the tragic reality of Open Source. A solo dev maintains a free plugin for years, gets burnt out, and some sketchy company offers them $2,000 for it. Who wouldn't sell?

Survival tips for the modern dev:

  1. Go on a plugin diet: If you can do it with a few lines in functions.php, do it. Stop installing a massive plugin just to add a tracking script.
  2. Audit ownership changes: If an abandoned plugin suddenly gets an update from a new developer, treat it like a radioactive object.
  3. Assume you're breached: Supply chain attacks are the new meta, from npm to PyPI to WP. Keep backups, lock down file permissions, and monitor your logs.

Anyway, I gotta go check my side projects. One of them is loading suspiciously slow, and I have a bad feeling it's mining crypto for some dude in Eastern Europe.


Source: Hacker News