Audit #16 Benign

Media Cloud for Bunny CDN, Amazon S3, Cloudflare R2, Google Cloud Storage, DigitalOcean and more · 7k+ installs · baseline 1.0.0 → head 4.6.4 · suspect committer interfacelab · by austin · closed 2d ago

Actor: Interfacelab LLC (interfacelab)

Show full summary

Clean — no supply-chain anomaly. Full git-level audit of ilab-media-tools (Media Cloud by interfacelab) covering all 162 published versions back to 2016-07. Single committer for 8 years, zero detection events, zero IOC matches, zero suspicious patterns in plugin-own code. The 58 code-scan findings on current trunk are all in vendored dependencies (Symfony, AWS SDK, Google Cloud, Firebase JWT, Carbon, ShortPixel) and are well-known legitimate uses. No further action required.

✓

Investigated — no compromise found.

Audit retained for the record. No action required.

Plugins under the same committer's SVN access

interfacelab holds push access to 1 plugin totalling 7k+ active installs.

Media Cloud for Bunny CDN, Amazon S3, Cloudflare R2, Google Cloud Storage, DigitalOcean and more — this audit

7k+

Plugin version history

Every release on wp.org for this plugin, color-coded by relationship to the incident. The compromise window shows where the wp.org Plugin Review Team deleted the malicious tags from SVN — those versions cannot be re-downloaded today.

1.0.0 2016-07-12 Last clean Last clean release before incident
🛑 Compromise window

Malicious releases pushed during this window were deleted from SVN by the wp.org Plugin Review Team. Last malicious tag: 4.6.4.
1.0.1 2016-07-12 PRT cleanup PRT cleanup release — incident closed
1.0.2 2016-07-12 Clean Clean (post-cleanup)
1.0.3 2016-07-12 Clean Clean (post-cleanup)
1.0.4 2016-07-12 Clean Clean (post-cleanup)
1.0.5 2016-07-14 Clean Clean (post-cleanup)
1.0.8 2017-01-31 Clean Clean (post-cleanup)
1.0.9 2017-02-01 Clean Clean (post-cleanup)
1.1.0 2017-02-12 Clean Clean (post-cleanup)
1.1.1 2017-02-15 Clean Clean (post-cleanup)
1.2 2017-04-15 Clean Clean (post-cleanup)
1.2.1 2017-04-17 Clean Clean (post-cleanup)
1.2.2 2017-04-18 Clean Clean (post-cleanup)
1.2.3 2017-04-19 Clean Clean (post-cleanup)
1.4.1 2017-04-25 Clean Clean (post-cleanup)
1.4.2 2017-04-25 Clean Clean (post-cleanup)
1.4.3 2017-04-25 Clean Clean (post-cleanup)
1.4.4 2017-04-27 Clean Clean (post-cleanup)
1.4.5 2017-05-01 Clean Clean (post-cleanup)
1.4.6 2017-08-31 Clean Clean (post-cleanup)
1.4.7 2017-09-06 Clean Clean (post-cleanup)
1.4.8 2017-09-06 Clean Clean (post-cleanup)
1.4.9 2017-09-08 Clean Clean (post-cleanup)
1.5.0 2017-09-09 Clean Clean (post-cleanup)
1.5.1 2017-09-11 Clean Clean (post-cleanup)
1.5.2 2017-09-12 Clean Clean (post-cleanup)
1.5.3 2017-09-13 Clean Clean (post-cleanup)
2.0.1 2017-09-22 Clean Clean (post-cleanup)
2.0.2 2017-09-23 Clean Clean (post-cleanup)
2.0.3 2017-09-24 Clean Clean (post-cleanup)
2.0.4 2017-09-25 Clean Clean (post-cleanup)
2.0.5 2017-09-28 Clean Clean (post-cleanup)
2.0.6 2017-09-29 Clean Clean (post-cleanup)
2.0.7 2017-09-30 Clean Clean (post-cleanup)
2.0.8 2017-10-01 Clean Clean (post-cleanup)
2.0.9 2017-10-02 Clean Clean (post-cleanup)
2.1.0 2017-10-05 Clean Clean (post-cleanup)
2.1.4 2018-09-07 Clean Clean (post-cleanup)
2.1.5 2018-09-08 Clean Clean (post-cleanup)
2.1.6 2018-10-31 Clean Clean (post-cleanup)
2.1.7 2018-11-01 Clean Clean (post-cleanup)
2.1.8 2018-11-02 Clean Clean (post-cleanup)
2.1.9 2018-11-03 Clean Clean (post-cleanup)
2.1.10 2018-11-03 Clean Clean (post-cleanup)
2.1.11 2018-11-03 Clean Clean (post-cleanup)
2.1.14 2018-11-05 Clean Clean (post-cleanup)
2.1.15 2018-11-06 Clean Clean (post-cleanup)
2.1.16 2018-11-10 Clean Clean (post-cleanup)
2.1.17 2018-11-10 Clean Clean (post-cleanup)
2.1.18 2018-11-12 Clean Clean (post-cleanup)
2.1.19 2018-11-16 Clean Clean (post-cleanup)
2.1.20 2018-11-29 Clean Clean (post-cleanup)
2.1.21 2018-11-30 Clean Clean (post-cleanup)
2.1.22 2018-12-01 Clean Clean (post-cleanup)
2.1.23 2018-12-04 Clean Clean (post-cleanup)
2.1.30 2019-01-02 Clean Clean (post-cleanup)
3.0.7 2019-07-17 Clean Clean (post-cleanup)
3.0.8 2019-07-18 Clean Clean (post-cleanup)
3.0.9 2019-07-19 Clean Clean (post-cleanup)
3.1.0 2019-07-22 Clean Clean (post-cleanup)
3.1.1 2019-07-25 Clean Clean (post-cleanup)
3.1.2 2019-07-29 Clean Clean (post-cleanup)
3.1.5 2019-08-18 Clean Clean (post-cleanup)
3.1.6 2019-08-27 Clean Clean (post-cleanup)
3.1.7 2019-09-02 Clean Clean (post-cleanup)
3.2.0 2019-10-03 Clean Clean (post-cleanup)
3.2.1 2019-10-08 Clean Clean (post-cleanup)
3.2.2 2019-10-09 Clean Clean (post-cleanup)
3.2.3 2019-10-16 Clean Clean (post-cleanup)
3.2.4 2019-11-09 Clean Clean (post-cleanup)
3.2.5 2019-11-09 Clean Clean (post-cleanup)
3.2.6 2019-11-09 Clean Clean (post-cleanup)
3.2.7 2019-11-13 Clean Clean (post-cleanup)
3.3.0 2019-11-18 Clean Clean (post-cleanup)
3.3.1 2019-11-20 Clean Clean (post-cleanup)
3.3.2 2019-11-20 Clean Clean (post-cleanup)
3.3.3 2019-11-21 Clean Clean (post-cleanup)
3.3.4 2019-11-21 Clean Clean (post-cleanup)
3.3.5 2019-11-22 Clean Clean (post-cleanup)
3.3.6 2019-12-02 Clean Clean (post-cleanup)
3.3.7 2019-12-07 Clean Clean (post-cleanup)
3.3.8 2019-12-09 Clean Clean (post-cleanup)
3.3.9 2019-12-09 Clean Clean (post-cleanup)
3.3.10 2019-12-11 Clean Clean (post-cleanup)
3.3.11 2019-12-12 Clean Clean (post-cleanup)
3.3.12 2020-02-18 Clean Clean (post-cleanup)
3.3.14 2020-02-19 Clean Clean (post-cleanup)
3.3.18 2020-03-05 Clean Clean (post-cleanup)
3.3.19 2020-03-09 Clean Clean (post-cleanup)
3.3.20 2020-03-10 Clean Clean (post-cleanup)
3.3.21 2020-03-11 Clean Clean (post-cleanup)
4.0.2 2020-07-18 Clean Clean (post-cleanup)
4.0.3 2020-07-18 Clean Clean (post-cleanup)
4.0.5 2020-07-20 Clean Clean (post-cleanup)
4.0.6 2020-07-22 Clean Clean (post-cleanup)
4.0.7 2020-07-23 Clean Clean (post-cleanup)
4.0.11 2020-08-21 Clean Clean (post-cleanup)
4.1.0 2020-08-28 Clean Clean (post-cleanup)
4.1.1 2020-09-04 Clean Clean (post-cleanup)
4.1.4 2020-09-22 Clean Clean (post-cleanup)
4.1.5 2020-09-23 Clean Clean (post-cleanup)
4.1.6 2020-09-23 Clean Clean (post-cleanup)
4.1.7 2020-09-23 Clean Clean (post-cleanup)
4.1.8 2020-11-26 Clean Clean (post-cleanup)
4.1.9 2020-11-30 Clean Clean (post-cleanup)
4.1.12 2020-12-03 Clean Clean (post-cleanup)
4.1.14 2020-12-03 Clean Clean (post-cleanup)
4.2.0 2021-02-09 Clean Clean (post-cleanup)
4.2.1 2021-02-10 Clean Clean (post-cleanup)
4.2.2 2021-02-10 Clean Clean (post-cleanup)
4.2.3 2021-02-10 Clean Clean (post-cleanup)
4.2.6 2021-02-15 Clean Clean (post-cleanup)
4.2.7 2021-03-15 Clean Clean (post-cleanup)
4.2.8 2021-03-16 Clean Clean (post-cleanup)
4.2.9 2021-03-30 Clean Clean (post-cleanup)
4.2.10 2021-04-08 Clean Clean (post-cleanup)
4.2.11 2021-04-09 Clean Clean (post-cleanup)
4.2.18 2021-04-14 Clean Clean (post-cleanup)
4.2.20 2021-04-17 Clean Clean (post-cleanup)
4.2.21 2021-05-03 Clean Clean (post-cleanup)
4.2.22 2021-05-03 Clean Clean (post-cleanup)
4.2.23 2021-05-05 Clean Clean (post-cleanup)
4.2.25 2021-05-06 Clean Clean (post-cleanup)
4.2.26 2021-05-08 Clean Clean (post-cleanup)
4.2.28 2021-05-14 Clean Clean (post-cleanup)
4.2.29 2021-05-25 Clean Clean (post-cleanup)
4.2.30 2021-06-07 Clean Clean (post-cleanup)
4.2.31 2021-06-08 Clean Clean (post-cleanup)
4.2.32 2021-06-13 Clean Clean (post-cleanup)
4.2.33 2021-06-15 Clean Clean (post-cleanup)
4.2.34 2021-06-16 Clean Clean (post-cleanup)
4.2.35 2021-06-17 Clean Clean (post-cleanup)
4.2.36 2021-06-20 Clean Clean (post-cleanup)
4.2.37 2021-06-22 Clean Clean (post-cleanup)
4.3.1 2022-02-24 Clean Clean (post-cleanup)
4.3.2 2022-02-26 Clean Clean (post-cleanup)
4.3.3 2022-02-26 Clean Clean (post-cleanup)
4.3.4 2022-02-28 Clean Clean (post-cleanup)
4.3.8 2022-03-02 Clean Clean (post-cleanup)
4.3.11 2022-03-08 Clean Clean (post-cleanup)
4.4.0 2022-04-07 Clean Clean (post-cleanup)
4.4.3 2022-10-06 Clean Clean (post-cleanup)
4.4.4 2022-10-07 Clean Clean (post-cleanup)
4.4.5 2022-10-07 Clean Clean (post-cleanup)
4.5.0 2022-10-08 Clean Clean (post-cleanup)
4.5.2 2022-10-15 Clean Clean (post-cleanup)
4.5.3 2022-10-27 Clean Clean (post-cleanup)
4.5.5 2022-10-31 Clean Clean (post-cleanup)
4.5.7 2022-11-07 Clean Clean (post-cleanup)
4.5.8 2022-11-07 Clean Clean (post-cleanup)
4.5.9 2022-11-08 Clean Clean (post-cleanup)
4.5.10 2022-11-08 Clean Clean (post-cleanup)
4.5.11 2022-11-11 Clean Clean (post-cleanup)
4.5.14 2022-11-30 Clean Clean (post-cleanup)
4.5.15 2022-12-01 Clean Clean (post-cleanup)
4.5.17 2022-12-08 Clean Clean (post-cleanup)
4.5.19 2022-12-09 Clean Clean (post-cleanup)
4.5.21 2023-07-21 Clean Clean (post-cleanup)
4.5.24 2023-09-27 Clean Clean (post-cleanup)
4.5.25 2024-03-09 Clean Clean (post-cleanup)
4.6.0 2024-03-21 Clean Clean (post-cleanup)
4.6.1 2024-03-22 Clean Clean (post-cleanup)
4.6.2 2024-03-24 Clean Clean (post-cleanup)
4.6.4 2024-04-09 Current Current release

Plugin

| | | |---|---| | Slug | ilab-media-tools | | Name | Media Cloud for Bunny CDN, Amazon S3, Cloudflare R2, Google Cloud Storage, DigitalOcean and more | | Author | interfacelab (Interfacelab LLC), member since 2014-01-02 | | Active installs | 7,000 | | Total downloads | 543,955 | | Added | 2016-07-12 | | Last update | 2024-04-09 (v4.6.4) | | Closed? | No — never closed by wp.org | | Plugin URI | https://github.com/interfacelab/ilab-media-tools | | Author URI | http://interfacelab.io |

Methodology — git repo built from full SVN history

Standard event-driven triage didn't apply here (zero open events for this slug), so audit was performed proactively against the full release history rather than a single suspect-version delta.

# 1. Enumerate all 164 SVN tags
svn ls https://plugins.svn.wordpress.org/ilab-media-tools/tags/

# 2. For each tag in version order: svn export → rsync into git workspace → commit with svn author + date → tag
# (full script at /tmp/build-ilab-git.sh)

# 3. Result: /tmp/wpbeacon-git-repos/ilab-media-tools — 162 commits, 162 tags, 167 MB

(One transient svn: E120108 connection error skipped tag 4.5.3; trunk = 4.6.4 was already represented so no double-count.)

Committer history

| committer_slug | first_rev | last_rev | commit_count | notes | |---|---|---|---|---| | interfacelab | r1453266 (2016-07-12) | r3067574 (2024-04-09) | 348 | sole human committer, member since 2014 | | plugin-master | r1453124 (2016-07-12) | r1453124 | 1 | wp.org SVN bootstrap commit, standard |

No transfers, no co-committer additions, no WPORG Plugins Team cleanup commits across 8 years.

Code-scan findings (current trunk, v4.6.4)

58 findings, 45 high-signal. Breakdown:

| Source | Count | Notes | |---|---|---| | lib/mcloud-symfony/ | ~25 | vendored Symfony components (cache, lock, var-dumper, http-foundation, http-kernel, dependency-injection, error-handler, debug, polyfill-mbstring, polyfill-intl-normalizer, var-exporter, routing, mime, messenger, http-client) — Mozart/PHP-Scoper namespaced | | lib/mcloud-aws/aws-sdk-php/ | ~7 | AWS SDK PHP — DecryptionTrait/V2, MetadataParserTrait, JsonParser, XmlParser, AbstractRestParser | | lib/mcloud-google/ | ~6 | Google Cloud SDK — cloud-storage SigningHelper + EncryptionTrait, protobuf Message, cloud-core test helpers | | lib/mcloud-firebase/php-jwt | 3 | Firebase JWT lib — base64_decode of PEM key/header/signature components | | lib/mcloud-nesbot/carbon | 2 | Carbon date library — Serialization trait + Mixin trait | | lib/mcloud-shortpixel/ | 1 | ShortPixel API client — base64_decode of original filename | | Plugin-own code | 2 | both benign — see below |

The two plugin-own findings — both benign

1. classes/Tools/Video/Driver/Mux/MuxAPI.php:204

$privateKey = base64_decode($signingKey['privateKey']);
return JWT::encode($options, $privateKey, 'RS256');

Standard JWT signing pattern. The Mux video service requires RS256-signed JWTs to generate playback URLs; the private key is stored base64-encoded in plugin settings and decoded at sign time.

2. classes/Utilities/Search/Replacer.php:88

$unserialized = (!is_serialized($data)) ? false : @unserialize($data);

Standard WordPress search-replace idiom — gated by is_serialized($data) (so unserialize is only called on input that is in fact serialized PHP), with @ to suppress notices on legacy malformed payloads. Used during media-cloud URL rewrites in serialized wp_postmeta rows.

Full-history attack-pattern sweep — all zero

Across all 162 commits, in plugin-own code (excluding lib/, external/Freemius/, vendor/):

| Pattern | Commits-with-match | |---|---| | eval(base64_decode(...)) | 0 | | eval(gzinflate(...)) | 0 | | create_function(...) | 0 | | preg_replace('/.../e', ...) | 0 | | @unserialize(file_get_contents(...)) | 0 | | @unserialize(wp_remote_retrieve_body(...)) | 0 | | extract($_GET/POST/REQUEST/COOKIE) | 0 | | include/require($_GET/POST/...) | 0 | | system/passthru/shell_exec($_...) | 0 | | str_rot13(base64_decode(...)) | 0 | | permission_callback => __return_true | 0 | | Catalog IOCs (fetch_ver_info, cdnstaticsync, analytics.essentialplugin, widgetlogic.org, puc_v[45]_Factory) | 0 |

Domain extraction (`c2_http_call`)

45 hostnames harvested by scan-deltas on 2026-04-30. All consistent with the documented feature set:

Cloud storage: amazon.com, amazonaws.com, amazonwebservices.com, backblazeb2.com, digitalocean.com, googleapis.com, gstatic.com, kinsta.com, wasabisys.com, wpengine.com
Image / video CDNs: imgix.com, imgix.net, imgur.com, imagify.io, kraken.io, shortpixel.com, tinify.com, mux.com
Plugin's own brand: mediacloud.press
Licensing: freemius.com
Email: mandrillapp.com, sendgrid.com
Misc legitimate: youtube.com, telegram.org, ifttt.com, ngrok.io, mcafeesecure.com, projecthoneypot.org, pwnedpasswords.com, amplitude.com, jsdelivr.net, ju.mp
Doc/spec references in vendor libs: php.net, ietf.org, freedesktop.org, europa.eu, unoosa.org, symfony.com, spatie.be, wp-cli.org, firephp.org, wildfirehq.org, web.path, your.site

No callbacks to dynamic-DNS hosts, no Russian/Chinese VPS IPs, no domains younger than the plugin.

Directory-add timeline (organic)

| Version | Date | Added | Reason | |---|---|---|---| | 1.0.0 | 2016-07-12 | classes/, helpers/, public/, vendor/, views/, ilab-media-tools.php, readme.txt, LICENSE, README.md, tools.json | initial layout | | 1.5.1 | 2017-09-11 | config/ | settings system | | 3.0.7 | 2019-07-17 | external/Freemius, composer.json, composer.lock, docs/ | Freemius licensing integration | | 3.3.14 | 2020-02-19 | keys/public.key | RSA pubkey for license verification (never modified after) | | 4.1.0 | 2020-08-28 | lib/ (mcloud-* namespaced vendoring) | switched from vendor/ to scoped lib/ | | 4.2.34 | 2021-06-16 | resources/ | misc assets | | 4.4.4 | 2022-10-07 | .gitattributes, .gitmodules | repo housekeeping |

Every directory addition aligns with documented feature work in changelogs.

Verdict

Benign — clean. Long-running, single-author plugin with no supply-chain shape, no obfuscation, no hidden endpoints, no IOC matches. WP Beacon's existing event-driven detection correctly fired zero alerts on this plugin.

Cleanup status

cleanup_status = clean — nothing to remediate. Audit recorded for catalog completeness.