Hacker Buys WordPress Plugins, Sneaks Malware

Hacker Buys WordPress Plugins, Sneaks Malware

Eight months ago, a hacker quietly gained access to over 30 WordPress plugins. No one noticed until now. This large group of plugins, used for simple website design updates, was turned into malware through a clever supply chain attack.

One moment, a plugin might be helping a website sell products. The next, it could be stealing data or leaking private information.

WordPress is still the most popular way to build websites. However, many believe its plugin system is not very secure. Now, a new project aims to offer an alternative.

How the Attack Happened

The recent attack on 31 WordPress plugins was not caused by bad coding. Instead, the attacker bought control of these plugins legally. They purchased them from the original developers for a price estimated to be in the hundreds of thousands of dollars.

After the purchase, the new owner added a hidden backdoor about eight months ago. This backdoor remained inactive until the attacker decided to activate it.

Once activated, the malicious code contacted a remote server. It then downloaded more harmful code. In some cases, it even changed important website files like wp-config.php.

This file contains sensitive data such as database connection details and security keys. The way the hacker controlled the attack, using an Ethereum smart contract, allowed them to quickly change the command server if needed.

The main problem here is that the malware was delivered through a normal plugin update. This update came from a trusted source, making it bypass normal security checks.

WordPress did remove the infected plugins after the exploit was discovered. However, the damage to affected websites had already been done.

Why This Matters

This incident highlights a significant security risk within the WordPress ecosystem. The plugin architecture, while powerful, allows third-party code to run with high levels of access.

When a plugin is updated, users often trust it without question, assuming it’s safe. This trust was exploited in a sophisticated supply chain attack.

The ease with which an attacker can purchase and then corrupt popular plugins is concerning. It means that a single malicious actor can impact a vast number of websites very quickly. This attack shows that even seemingly minor plugins can become vectors for serious security breaches.

A New Alternative: Cloudflare’s Mdash

For those concerned about WordPress security, Cloudflare has introduced a new project called Mdash. This project aims to replace older PHP code with AI-written JavaScript.

Mdash does not use any original WordPress code and is available under an MIT license. It is designed to work with existing WordPress APIs.

The project is built on the Astro project for its content management system. What makes Mdash different is its approach to plugin security.

It places each plugin in its own secure sandbox using a dynamic worker. The framework itself controls data access, only allowing plugins specific permissions if they are explicitly requested in their manifest file.

This sandbox approach prevents plugins from having unrestricted access to the website’s data and functions. It’s like giving each plugin only the tools it absolutely needs to do its job, without letting it touch anything else. While Mdash offers a more secure architecture, it is unlikely to replace WordPress entirely anytime soon.

The Role of AI in Development

The rapid development of alternatives like Mdash is made possible by modern AI coding tools. These tools help developers create complex software much faster than before. AI can assist in rewriting code, identifying potential errors, and even generating new code from scratch.

Tools like Warp are emerging to help developers manage multiple AI coding agents. Warp allows users to organize different AI sessions in their terminal.

This helps keep track of various coding tasks and their statuses. Features like vertical tabs and saved tab configurations streamline the development workflow.

Notifications from AI agents can alert developers when they need attention. This prevents developers from constantly checking on their AI tools. Warp offers a way to centralize and manage these AI assistants, making them more effective for developers.

The speed at which new tools and frameworks can be built and deployed is increasing. This is largely thanks to advancements in AI and the collaborative nature of open-source projects. Cloudflare’s Mdash and tools like Warp showcase this trend.

Cloudflare’s Mdash project is available now. Information on Warp can be found via the provided link.

Source: A rich hacker just penetrated 31 WordPress plugins… (YouTube)