WP Beacon

Audits

7 malicious audits. · 159 IOCs catalogued.

Verdict: All (23) Malicious (7) Cleaned (6) Suspicious (0) Inconclusive (0) Benign (10) In progress (0)
Malicious Closed by wp.org

Audit #12 Scroll To Top — 20k+ installs

Update-checker hijack with active stored-XSS / RCE primitives served from a Panama-fronted C2. scroll-top (20,000 active installs) was sold by original author Ga Satrya (@gasatrya) to an actor identified as Benjamin (wp…

baseline → head 1.5.3 11 IOCs · 27d ago
Malicious Closed by wp.org

Audit #10 Widget Logic — 100k+ installs

Verdict: malicious. Confirmed supply-chain compromise matching the disclosed attack at anchor.host/how-i-caught-a-wordpress-plugin-supply-chain-attack and covered by TheNextWeb, Yahoo Tech, BigGo, byteiota, and others. …

by widgetlogics · baseline 5.10.4 → head 6.0.0 8 IOCs · 1mo ago
Malicious Closed by wp.org

Audit #13 Quick Page/Post Redirect Plugin — 70k+ installs

The original author intentionally weaponized wordpress.org distribution to seed an out-of-band update channel they controlled — and then served tampered builds through that channel after the wp.org-distributed code went…

by anadnet · baseline 5.2.1 → head 5.2.4 12 IOCs · 1mo ago
Malicious Closed by wp.org

Audit #4 33-plugin suite — 180k+ combined installs

Marketplace acquisition of an established 30-plugin portfolio used as a vehicle for a fleet-wide PHP-deserialization RCE backdoor with on-chain C2 resolution. A buyer identified only as "Kris" purchased the entire Essen…

by essentialplugin · baseline 2.6.6 → head 2.6.9.1 15 IOCs · 1mo ago
Malicious Closed by wp.org

Audit #25 WP Advanced Math Captcha — 6k+ installs

Two distinct supply-chain attack chains in a single 6,000-install plugin, both operated by SiteGuarding (siteguarding.com) through two anonymous wp.org committer accounts. wp.org Plugin Review Team (PRT, plugin-master) …

baseline 2.1.8 → head 2.1.9.1 SiteGuarding cluster · 33 IOCs · 19d ago
Malicious Closed by wp.org

Audit #26 Web Image Optimization X — 100 installs

Attacker-controlled side-channel update endpoint shipped under the cover of "license validation" — same operator (SiteGuarding) and same sibling-plugin pair as audit #25 (wp-advanced-math-captcha). Where the wp-advanced…

baseline 1.0.8 → head 1.4.0 SiteGuarding cluster · 15 IOCs · 19d ago
Malicious Closed by wp.org

Audit #28 27-plugin suite — 5k+ combined installs

SiteGuarding 27-plugin portfolio (2013-2020) — 15 plugins shipped siteguarding_tools.php v1.7 RCE backdoor INLINE in the plugin folder; 12 sibling plugins shipped phone-home guideline violations. wp.org closed all 27 in…

baseline 1.2 → head 7.5.4 SiteGuarding cluster · 7 IOCs · 19d ago