https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/
Article
-
Attacker purchased 30 established WP plugins, injected backdoors into all
-
Attack required no technical skill — just money to buy trusted plugins
-
Supply chain compromise gave attacker access to all existing plugin installs
Discussion
-
Commenters note this highlights software update ideology tradeoffs — updates can be attack vectors
-
npm/transitive dependency problem seen as equally dangerous and unsolved at scale
-
Debate on whether plugin ownership transfers should require user consent or notification
-
Some suggest AI-based malware scanning as only viable defense at this scale
Discuss on HN
