The Aftermath of the WordPress.org Supply Chain Attack: New Malware and Techniques Emerge – Security Landscape Evolves

Duane Mitchell • August 3, 2024

In late June 2024, a significant security breach affected the WordPress.org plugin repository. The incident began with the discovery of malware in the Social Warfare plugin, quickly expanding to impact multiple other plugins.

This event highlighted the vulnerabilities in open-source content management systems and the importance of robust security measures.

The attack’s scope widened over several days, prompting WordPress.org to implement a mandatory password reset for all users.

Security teams worked diligently to identify and combat the various malware strains , releasing protective measures for both premium and free users.

As the situation evolved, new malware variants emerged, necessitating ongoing vigilance and updates to security protocols.

Key Takeaways

  • A major security breach affected multiple WordPress plugins in June 2024
  • Security teams rapidly developed and deployed protective measures against the malware
  • The incident underscored the need for enhanced security in open-source platforms

Novel Credential Theft Technique Emerges

A WordPress agency managing numerous sites fell victim to a sophisticated supply chain attack on July 14, 2024.

The compromise occurred through updates to the Blaze Widget and Social Warfare plugins, leading to unauthorized administrator accounts appearing on multiple websites.

The attackers employed a new malware variant, discovered in the plugins directory of an affected site. This malicious code was programmed to transmit data to a specific IP address: 94.156.79.8.

This address serves as a central hub for the hackers, collecting exfiltrated information and hosting malicious scripts.

Key aspects of this attack include:

  • Delayed detection due to the stealthy nature of the compromise
  • Use of legitimate plugin updates as an infection vector
  • Creation of rogue administrator accounts for persistent access

Security experts have flagged the implicated IP address as malicious.

WordPress site owners are advised to:

  1. Regularly audit user accounts
  2. Implement robust security scanning
  3. Keep plugins updated from trusted sources only

This incident underscores the evolving sophistication of data breaches targeting popular content management systems. It highlights the critical need for vigilance and proactive security measures in the face of increasingly cunning cyber threats.

Unauthorized SMTP Credential Extractor Plugin Discovered

A concerning discovery was made on a website managed by a digital agency. An unauthorized plugin named “Custom Mail SMTP Checker” was found to be present, raising significant security concerns.

This plugin’s primary function appears to be the extraction and transmission of SMTP credentials used by the popular WP Mail SMTP plugin.

The code within this unauthorized plugin operates by hooking into WordPress’s admin_init action. It then checks for the existence of wp_mail_smtp options and, if found, proceeds to flatten the array of options.

The flattened data, along with the site’s URL, is then sent to a remote server via a POST request.

It’s important to note that this malicious activity differs from previous supply chain attacks on WordPress plugins.

While earlier incidents focused on spreading infections, injecting crypto malware, and maintaining unauthorized admin access, this new threat specifically targets SMTP credentials.

The potential impact of this unauthorized plugin may be limited due to the encryption measures implemented in recent versions of WP Mail SMTP.

Since October 2020, version 2.5.0 and later encrypt SMTP passwords by default, storing the encryption key separately. However, this doesn’t completely negate the risk.

Possible scenarios for credential misuse include:

  1. Attackers already having admin access, allowing them to retrieve encryption keys
  2. The malicious code being in a testing phase, with more sophisticated versions expected in the future

Website administrators who discover this unauthorized plugin should take immediate action:

  • Change email passwords associated with the affected accounts
  • Perform a comprehensive security audit and malware removal
  • Review and update access controls for the WordPress installation

This incident serves as a reminder of best practices for email handling on WordPress sites:

  1. Use dedicated email accounts for website communications
  2. Avoid using personal or business-critical email accounts for site functions
  3. Regularly update and monitor all plugins, especially those handling sensitive data

While the WP Mail SMTP plugin itself is not vulnerable, this situation highlights the importance of vigilance in managing WordPress installations. Regular security audits, prompt updates, and careful monitoring of installed plugins are crucial steps in maintaining website security.

New Malware Variants Target WooCommerce and Braintree Data

Recent investigations have uncovered two additional malware variants affecting WordPress sites. These new threats specifically target WooCommerce order information and Braintree API data.

The first variant focuses on extracting WooCommerce order details. It operates by collecting order summaries through a custom function.

This malicious code then gathers crucial site information, including:

  • Domain name
  • Admin username
  • Admin password
  • WordPress login path

The malware bundles this sensitive data with any available order information and transmits it to a remote server controlled by the attackers. This process poses a significant risk to both website owners and their customers.

The second variant employs similar tactics but targets Braintree API information. Braintree, a popular payment processing service, handles sensitive financial data.

By compromising this information, attackers gain potential access to payment-related details.

Both malware variants utilize exfiltration scripts to steal data.

These scripts employ curl requests to send the collected information to attacker-controlled IP addresses. The use of HTTPS in these requests may make detection more challenging.

Key risks associated with these malware variants include:

  • Exposure of customer personal information
  • Theft of payment processing credentials
  • Potential financial fraud
  • Damage to website reputation

Website owners should remain vigilant and implement the following protective measures:

  1. Regularly scan for malware
  2. Keep WordPress core, plugins, and themes updated
  3. Use strong, unique passwords for admin accounts
  4. Implement two-factor authentication
  5. Monitor site activity for unusual behavior

By staying informed about these emerging threats and taking proactive security measures, WordPress site owners can better protect their websites and customer data from malicious actors.

Identifying Signs of Infection

Several key indicators can help detect potential malware infiltration resulting from the recent WordPress supply chain attack. Security professionals should be vigilant for specific file names and IP addresses associated with this threat.

The presence of the IP address 94.156.79.8 in PHP files or detected during malware scans strongly suggests data exfiltration. This IP serves as a reliable marker of malicious activity.

Suspicious plugin file names to monitor include:

  • informative/testplugingodlike.php
  • core_plug/godlikeplug8.php
  • braintree-api-key-sender3/braintree-api-key-sender.php
  • hello-world/`xg.php
  • hello-world/hello-world.php
  • custom-mail-smtp-checker/custom-mail-smtp-checker.php

While these names may evolve, the associated IP remains a consistent indicator of malicious code.

In some instances, cryptomining JavaScript has been injected directly into cached pages.

Sites using caching plugins should run thorough malware scans on these cached files, which may trigger alerts for the aforementioned IP address. After completing a full site cleanup, clearing the cache is strongly recommended.

Security teams should remain alert to new variations of malware and file names as threat actors adapt their tactics.

Regular scans, code reviews, and monitoring of file system changes are crucial steps in maintaining WordPress site security and swiftly identifying potential compromises.

Key IP Addresses

The attackers utilized the IP address 94.156.79.8 as a central hub for their malicious activities.

This server hosted harmful JavaScript code and functioned as a data collection point. Network administrators should closely monitor and block traffic to this IP to help prevent compromise.

Suspicious Administrative Usernames

Several unusual usernames have been identified as potential indicators of compromise in WordPress administrative accounts.

The names “PluginAUTH”, “PluginGuest”, and “Options” warrant immediate investigation if found among administrator users.

Additionally, randomly generated usernames like “aaBGFtd” and “aaCmiuz” may signal unauthorized access attempts.

Some affected sites report thousands of such accounts.

WordPress administrators should regularly audit user lists and promptly remove any suspicious entries with elevated privileges.

Aftermath and Protective Measures

The recent WordPress.org plugin supply chain attack has led to the emergence of sophisticated malware variants. These new strains focus on extracting credentials beyond WordPress, targeting email and payment processing accounts.

To combat these threats, security firms have developed updated malware signatures.

Premium users of certain security services receive immediate protection, while free users typically experience a 30-day delay.

For compromised sites, a thorough cleaning process is essential. Consider the following steps:

  1. Conduct a comprehensive site scan
  2. Remove all malicious code
  3. Update all plugins and themes
  4. Change all passwords
  5. Implement stronger security measures

Professional incident response services are available for those seeking expert assistance.

These services often provide round-the-clock support throughout the year.

Plugin developers should remain vigilant and adopt best practices:

  • Regularly audit code
  • Use strong, unique passwords
  • Implement two-factor authentication
  • Keep development environments secure

The WordPress.org plugin review team plays a crucial role in maintaining ecosystem security.

Their ongoing efforts to detect and remove compromised plugins are vital for user protection.

Common Questions About the WordPress.org Attack

How can websites protect themselves from future supply chain threats?

Website owners can take several steps to guard against supply chain attacks:

  • Implement strict plugin vetting processes
  • Regularly update and patch all software components
  • Use reputable security plugins to monitor for suspicious activity
  • Enable two-factor authentication for all admin accounts
  • Conduct frequent security audits of installed plugins and themes

What new hacking techniques have emerged after the WordPress.org incident?

 

The WordPress.org supply chain attack has led to new malicious tactics:

 

  • Injection of stealthy backdoors into seemingly benign plugin code
  • Use of obfuscated malware to evade detection
  • Exploitation of trusted update mechanisms to spread malicious code
  • Targeting of developer accounts through credential stuffing attacks

What immediate actions should admins take if they suspect a supply chain compromise?

Upon suspecting a supply chain attack, administrators should:

  1. Immediately disable and remove affected plugins
  2. Conduct a thorough security scan of the entire website
  3. Change all admin passwords and access credentials
  4. Review server logs for signs of unauthorized access
  5. Restore the site from a clean backup if available

How do supply chain attacks affect end users of compromised platforms?

End users may experience:

  • Theft of personal data or login credentials
  • Injection of malware onto their devices
  • Redirection to malicious websites
  • Degraded website performance or functionality
  • Loss of trust in affected platforms and plugins

What long-term effects might the WordPress.org attack have on plugin developers?

The supply chain attack could lead to:

  • Increased scrutiny and vetting of plugin submissions
  • Stricter security requirements for developer accounts
  • Enhanced code review processes for plugin updates
  • Greater emphasis on secure coding practices
  • Potential loss of user trust and plugin adoption rates

How has the WordPress.org incident influenced industry cybersecurity practices?

The attack has prompted several changes in the wider cybersecurity landscape:

  • Heightened awareness of supply chain vulnerabilities
  • Increased investment in software supply chain security measures
  • Adoption of more rigorous code signing and verification processes
  • Growing emphasis on developer account security and access controls
  • Expanded use of automated security scanning tools in software repositories

Building better solutions for better business®

By Duane Mitchell April 4, 2025
Cisco has issued a critical security alert about a backdoor administrative account in its Smart Licensing Utility (CSLU) that hackers are actively exploiting. This vulnerability allows unauthorized users to gain administrative access to unpatched systems, potentially leading to serious security breaches. The critical flaw (CVE-2023-20198) involves undocumented static admin credentials that give attackers remote administrative […]
By Duane Mitchell April 2, 2025
The U.S. tariffs on Canadian goods have disrupted trade dynamics, but they also present opportunities for Canadian businesses to capitalize on emerging niche markets. Here are some of the most promising areas: 1. High-Quality Apparel Canadian exports of wool suits, jackets, and outerwear are now less competitive in the U.S. market due to the 25% tariff. However, Canada’s expertise in high-quality, wool-based garments and specialized outerwear creates an opportunity to pivot toward premium markets in Europe, Asia , or domestic sales. This could also include diversifying into synthetic or cotton-based premium apparel to meet changing global demands [1]. 2. Alternative Trade Partnerships With the U.S. imposing higher tariffs, Canadian businesses can take advantage of trade agreements like CETA (Europe) and CPTPP (Asia-Pacific) to diversify markets. Products like agricultural goods, packaged food, and textiles are especially well-suited for export to these regions [4][7]. 3. Sustainable Packaging and Materials Canadian producers specializing in sustainable paper, plastics, and packaging can leverage U.S. tariffs on these products to expand within Canada and into other global markets. For instance, demand for eco-friendly, reusable packaging is rising, creating a niche for Canadian manufacturers to cater to both domestic and international sustainability goals [10]. 4. Potash and Agricultural Products Despite the 10-25% U.S. tariffs on Canadian potash, the country’s dominance in global potash production, essential for fertilizers, allows it to explore markets outside the U.S., such as Latin America or Asia. Additionally, agricultural export diversification, including premium grains and produce, can target untapped regions [5][6]. 5. Renewable Energy and Critical Minerals The 10% tariff on Canadian critical minerals and energy products provides impetus for Canada to bolster its renewable energy sector and implement value-added processing for minerals domestically. By investing in solar, wind, and battery production, Canadian companies can develop less U.S.-dependent supply chains while capturing growing global demand for green resources [4][9]. 6. Local Manufacturing and Innovation With tariffs disrupting supply chains, businesses can focus on domestic manufacturing of goods like steel, aluminum, and automotive components . Localization of production and innovation in advanced manufacturing (e.g., robotics and automation) will appeal to Canadian industries aiming to reduce U.S. reliance [6][7]. 7. Luxury and Artisanal Consumer Goods Canadian producers can focus on luxury and artisanal goods, including craft spirits, premium foods, and high-end furniture. Tariffs on U.S. competing goods like wine, spirits, and peanut butter create an opportunity for Canadian brands to replace these products in the domestic market [2][4]. 8. Technology & Software Development Canadian tech companies can position themselves as key players in logistics, supply chain management, and compliance software. As businesses adapt to tariff complexities, there is significant demand for digital solutions that improve efficiency and help navigate trade barriers [6][7]. 9. Tourism and Local Experiences With tariffs fostering national pride and encouraging "buy Canadian" sentiments, Canadian tourism—from nature-based experiences to cultural festivals—can draw more domestic and international visitors, adding value to the local economy [2]. 10. Specialized Support Services Legal, trade consulting, and financial advisory services focused on tariff navigation, market diversification, and supply chain diversification have growing potential. Canadian businesses will require assistance in aligning with new trade policies and global expansion strategies [7][8]. 11. Canada has introduced substantial financial relief and support programs to help businesses affected by tariffs: Export Development Programs: The CAD 5 billion Trade Impact Program offers funding to businesses seeking to reach new international markets, enabling small companies to compete globally [10][12]. Incentives for Innovation: Funding for technology startups and clean energy projects can help businesses innovate and grow amid economic uncertainty [11]. References: www.fibre2fashion.com Disaggregated Analysis of US Tariffs on Canadian Apparel Exports www.canada.ca Canada's Response to US Tariffs www.wernerantweiler.ca Blog Post on Tariff Impacts www.bdo.ca Trade Turmoil: United States Tariffs and Canada's Next Moves www.thestarphoenix.com What You Need to Know About Tariffs on Potash www.doanegrantthornton.ca How New Tariffs Could Affect Canadian Businesses www.hicksmorley.com Tariffs Are Here: How Will They Impact Canadian Businesses? www.nationalpost.com Carney Pivots to Day of Meetings in Ottawa Before Latest Round of Trump Tariffs www.ey.com Canada Imposes New Tariffs on US Origin Products www.packagingdive.com Trump Tariffs on Canada, Mexico: Packaging, Paper, Plastic www.thepoultrysite.com Canada Commits Over C$6 Billion to Fight Impact of US Tariffs, Find New Markets www.canada.ca Canada's Response to US Tariffs www.sobirovs.com Tariffs' Impact on Business Opportunities in Canada
By Duane Mitchell March 8, 2025
The World of AI Ethics and Decision-Making Artificial intelligence has rapidly evolved from theoretical concepts to practical applications that impact our daily lives. Large language models (LLMs) like ChatGPT and other generative AI systems represent some of the most visible advancements in this field. These systems demonstrate impressive capabilities but also raise profound questions about […]