:

ATTACKER BUYS 30 WORDPRESS PLUGINS, ADDS BACKDOORS

INDUSTRY DESK1 MIN READ
MON, APR 13, 2026

A threat actor purchased 30 WordPress plugins and injected backdoor code into all of them, potentially exposing thousands of websites. The compromised plugins have since been identified and removed from the WordPress repository.

Security researchers discovered that an individual acquired ownership of multiple WordPress plugins through the official marketplace and systematically added malicious code to each one. The backdoors allowed unauthorized access to affected websites. The plugins remained available for download before detection, meaning site administrators who installed or updated them during the window of compromise may have been affected. WordPress has removed the malicious plugins and notified affected users. This incident highlights vulnerabilities in how plugin ownership transfers are handled and the risks of relying on third-party code without verification. WordPress plugin supply chain attacks have increased in frequency, with attackers recognizing the ecosystem's reach across millions of websites. Site owners are advised to audit their installed plugins, remove any from the compromised list, and implement security monitoring to detect unauthorized access.

■ MORE FROM THE SECURITY DESK

Caller ID service Truecaller is pushing back against India's telecom regulator over new anti-spam regulations, claiming users are increasingly blocking calls from the country's dedicated business number series.

2H AGOIndustry Desk

Telstra customers faced a second day of disruptions Thursday as a secondary outage prevented some from reaching triple-zero emergency services. Regional train services remained affected following Wednesday's initial mobile network failure.

2H AGOAI Desk

Australia's government has instructed volunteers to discard thousands of functional test routers despite the devices being capable of being reflashed for continued use.

6H AGOIndustry Desk

A lawsuit alleges a man used X's Grok AI to create approximately 7,000 sexually explicit images of his stepdaughter before taking his own life. Multiple young girls are now suing X, claiming the platform failed to prevent the abuse.

8H AGOIndustry Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.