An attacker purchased 31 WordPress plugins (Essential Plugin portfolio) on Flippa, planted a PHP deserialization backdoor in each, and waited 8 months before activating them on April 5-6, 2026. The malware injected hidden SEO spam into wp-config.php visible only to search engines, using Ethereum smart contracts for C2 infrastructure to evade domain takedowns. WordPress.org permanently closed all 31 plugins and forced auto-updates on April 7-8.
Infrastructure
Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them
Attacker acquired 31 WordPress plugins via Flippa, implanted backdoors, then activated hidden SEO injection via Ethereum smart contract C2 infrastructure to evade takedown.
Monday, April 13, 2026 12:00 PM UTC2 MIN READSOURCE: Hacker NewsBY sys://pipeline
Tags
infrastructure
/// RELATED
StrategyApr 21
Are services the new software? This venture capitalist thinks the future is in selling AI-delivered outcomes, not AI-powered products
Sequoia Capital backs a contrarian thesis: the next $1 trillion company will deliver AI-powered services rather than software products, leveraging the fact that enterprises already spend $6 on services for every $1 on software.
SafetyApr 17
BotID uncovers hidden SEO poisoning
Legacy SEO poisoning attacks resurface as Google crawlers re-index years-old compromised URLs, caught by Vercel's BotID bot detection—showing how historical security breaches can silently generate fraudulent traffic until rediscovered.