news.volyx.in

Someone bought 30 WordPress plugins and planted a backdoor in all of them (anchor.host)

1194 points by speckx · 93 days ago · 341 comments on HN

Article summary

A security researcher discovered that 30 WordPress plugins were compromised after being acquired by a new owner, who planted a backdoor in all of them. The backdoor was used to inject spam links and fake pages, and was only visible to Googlebot. The plugins were sold on Flippa, and the buyer's background in SEO and crypto marketing was public. The WordPress.org Plugins Team permanently closed all 30 plugins after the attack was discovered.

Main themes

  • WordPress plugin security
  • Supply chain attacks
  • Plugin ownership transfers
  • Code review and vetting
  • Dependency management

What commenters say

  • Implementing a vetting process for open-source code, potentially using LLMs, could help prevent supply chain attacks, but may not be effective if attackers are willing to pay for validation.
  • The current state of dependency management in software development is problematic, with many projects relying on unvetted libraries and transitive dependencies.
  • Some developers are moving away from Node.js and JavaScript due to the recent spike in supply chain attacks, and are instead choosing languages like Golang, which has a more comprehensive standard library.
  • Rolling your own solutions, rather than relying on third-party libraries, can be a viable option for avoiding supply chain attacks, but may not always be practical or necessary.
  • The goal should be to make software development more secure by default, so that users don't need to be experts in security to avoid vulnerabilities.
  • The prevalence of supply chain attacks is a market problem, driven by the desire for profit and the pressure to deliver software quickly, rather than a technical problem.
  • Using languages with built-in security features, such as Go's shorter dependency chains, can help resist supply chain attacks, but no solution is foolproof.