A rich hacker just penetrated 31 WordPress plugins...

TL;DR

A buyer purchased 31 WordPress plugins on Flippa for six figures, inserted dormant backdoors, then activated a supply chain attack stealing data.

Key Points

• 1.A supply chain attack compromised 31 WordPress plugins via legitimate acquisition. An attacker purchased a plugin portfolio on Flippa for an estimated mid-six figures, inserted backdoors 8 months ago, then activated malicious logic that pulled remote payloads and modified sensitive files like wp-config.php.
• 2.The command-and-control infrastructure used Ethereum smart contracts for resilience. By resolving the C2 domain through a smart contract, the attacker could instantly redirect to a new domain once discovered, making the attack harder to neutralize after exposure.
• 3.WordPress's plugin architecture is the root cause, with 96% of vulnerabilities stemming from plugins. PHP plugins run with full privileges and no sandboxing, giving them unrestricted access to databases, files, and security keys — meaning any trusted plugin update is a potential attack vector.
• 4.Cloudflare's new 'Mdash' project aims to replace WordPress with a sandboxed, MIT-licensed alternative. Built on Astro and written in JavaScript, Mdash isolates each plugin in its own worker with capability-based bindings, preventing plugins from accessing data they don't explicitly request — though it is unlikely to kill WordPress soon.