Anadnet (PUC update-channel hijack campaign) malicious

4 mapped plugins · 4 currently tracked · 41k+ active installs combined · 4 closed · 1 audit

⚠ Confirmed malicious campaign

Hijacked plugin-update-checker config to point at updates.cdnstaticsync.com (anadnet /bro/3/ pattern). scroll-top confirmed malicious in Audit #12; 3 sibling plugins under the inherited @satrya account closed by wp.org 2026-04-26 (advanced-random-posts-widget, smart-recent-posts-widget, comments-widget-plus). Benjamin email gouldbenjamin135@gmail.com confirmed on smart-recent-posts-widget r3126813 (2024-07-28).

Flagged 18h ago.

Plugin	Prior owner	Acquired	Installs	Last release	Status
Scroll To Top scroll-top	Benjamin (@milkitall)	—	20k+	—	Closed
Advanced Random Posts Widget advanced-random-posts-widget	Benjamin (@milkitall)	—	10k+	—	Closed
Smart Recent Posts Widget smart-recent-posts-widget	Benjamin (@milkitall)	—	9k+	—	Closed
Recent Comments Widget Plus comments-widget-plus	Benjamin (@milkitall)	—	2k+	—	Closed

Linked audits (1)

#	Plugin	Verdict	Cleanup	Started	Closed
#12	Scroll To Top	Malicious	closed_by_wporg	7d ago	7d ago

IOCs from this campaign (11)

Kind	Value	Confidence	From audit
code_pattern	`?gimme=updates`	high	#12
code_pattern	`/bro/3/`	high	#12
code_pattern	`cdnstaticsync`	high	#12
code_pattern	`gouldbenjamin135@gmail.com`	high	#12
code_pattern	`milkitall`	high	#12
domain	`cdnstaticsync.com`	high	#12
domain	`edge.cdnstaticsync.com`	high	#12
domain	`gouldbenjamin135@gmail.com`	high	#12
domain	`updates.cdnstaticsync.com`	high	#12
filename	`class-scroll-top-content-updater.php`	high	#12
code_pattern	`tombenj`	medium	#12