<![CDATA[Following up on an excellent blog post we discovered (linked in thread), we dug a little deeper on a recent #WordPress plugin compromise.]]>Following up on an excellent blog post we discovered (linked in thread), we dug a little deeper on a recent plugin compromise. We have more IoCs for you, and what we believe to be a use of the blockchain for an initial access auction for the plugin install base.

Link Preview Image
Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them

What a crazy story. I wonder if the attack surface (now burned) was worth six figures. IoCs in article.

favicon

IFIN (discourse.ifin.network)

]]>https://board.circlewithadot.net/topic/8dac63aa-8452-4d7d-ae85-06ee4de72d93/following-up-on-an-excellent-blog-post-we-discovered-linked-in-thread-we-dug-a-little-deeper-on-a-recent-wordpress-plugin-compromise.RSS for NodeThu, 30 Apr 2026 14:30:21 GMTTue, 14 Apr 2026 17:13:23 GMT60<![CDATA[Reply to Following up on an excellent blog post we discovered (linked in thread), we dug a little deeper on a recent #WordPress plugin compromise. on Wed, 15 Apr 2026 04:55:48 GMT]]>@mttaggart @ifin can you share the URLs that were involved?

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/deepthoughts10/statuses/116406940395475881https://board.circlewithadot.net/post/https://infosec.exchange/users/deepthoughts10/statuses/116406940395475881Wed, 15 Apr 2026 04:55:48 GMT<![CDATA[Reply to Following up on an excellent blog post we discovered (linked in thread), we dug a little deeper on a recent #WordPress plugin compromise. on Wed, 15 Apr 2026 00:41:37 GMT]]>@deepthoughts10 @ifin The second stage did indeed have a handful of crypto exchanges it would try to hit. No reason not to block them all in an enterprise environment, imo.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/mttaggart/statuses/116405940867893747https://board.circlewithadot.net/post/https://infosec.exchange/users/mttaggart/statuses/116405940867893747Wed, 15 Apr 2026 00:41:37 GMT<![CDATA[Reply to Following up on an excellent blog post we discovered (linked in thread), we dug a little deeper on a recent #WordPress plugin compromise. on Wed, 15 Apr 2026 00:37:43 GMT]]>@ifin one thing I’m interested in is the Ethereum API or RPC endpoint the malware is using for the Etherhiding. My theory is that these threat actors use the same handful of endpoints and I want to make their lives harder by blocking those endpoints cc: @mttaggart

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/deepthoughts10/statuses/116405925557950074https://board.circlewithadot.net/post/https://infosec.exchange/users/deepthoughts10/statuses/116405925557950074Wed, 15 Apr 2026 00:37:43 GMT