April 13, 2026

Flippa flop or Flim‑Flam?

Article URL →HN comments →

Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them

Bought for six figures, booby‑trapped for clicks — and the comments are chaos

TLDR: A buyer allegedly planted hidden code across 30 WordPress add‑ons, then months later used it to push Google‑only spam and dodge takedowns with a blockchain trick; WordPress patched but missed the mess in a key file. Comments explode over AI paywalls for code vs. dependency chaos and who’s to blame.

Someone reportedly bought a bundle of 30 popular WordPress add‑ons for a six‑figure sum, hid sneaky code in them, then waited eight months to light the fuse, according to Anchor Hosting. Once activated, the code quietly stuffed sites with search spam that only Google’s crawler could see, and used a blockchain trick to keep changing where the bad stuff came from. WordPress rushed a forced update, but it didn’t clean the core settings file, so the spam kept flowing.

The community reaction? Absolute fireworks. One camp is yelling “this is why our software supply chain is broken,” with devs pointing at the modern habit of installing dozens of little dependencies no one audits. Another camp is pitching an AI toll booth for code: pay $1 to have a large language model scan every release. Others clap back that this just creates gatekeepers and false confidence.

A practical crowd asks the money question: what’s the grift? Commenters explain it’s classic SEO spam—hijack your site’s reputation to sell junk via fake pages and redirects. There’s also vintage forum drama: meta arguments about downvotes, and throwbacks to past fiascos like “Secure Custom Fields.” It’s equal parts true‑crime tech saga and comment‑section cage match—with your website stuck in the middle.

Key Points

  • A portfolio of WordPress plugins (reportedly 30) was acquired and backdoored, leading to a supply-chain compromise.
  • Countdown Timer Ultimate was force-updated by WordPress.org to v2.6.9.1, but existing wp-config.php malware persisted.
  • The attack chain used the plugin’s wpos-analytics module to phone home, fetch a backdoor, and inject PHP into wp-config.php.
  • Injected code cloaked SEO spam for Googlebot and resolved its C2 via an Ethereum smart contract to evade takedowns.
  • Forensics using CaptainCore/restic narrowed the injection to April 6, 2026, and traced the backdoor to code added on Aug 8, 2025 (v2.6.7).

Hottest takes

“LLM vetted repos… it will cost $1 to submit a release candidate” — saltyoldman
“There is zero chance that they have checked those libraries for supply chain attacks.” — bradley13
“So how was this attack gonna generate ‘revenue’?” — meteyor

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.