Audit #22 Cleaned

Confirmed malicious supply-chain compromise — and the only one in the wave that was self-cleaned by the legitimate author before PRT intervened. Between 2024-06-23 22:42 UTC and 2024-06-24 04:07 UTC the pedrogusmao02 SVN account pushed 2 malicious "Upgrade" commits (r3106372, r3106508) injecting the full June 2024 payload (PHP + JS) into wrapper.php. At 2024-06-24 07:48 UTC (~3.5 hours later), pedrogusmao02 himself committed Small bug corrections (r3106633) which removed the entire malicious payload — this is visible by inspection: r3106508 contains 7 IOC matches; r3106633 contains zero. He then committed Update readme file for stable tag (r3106641). Wordfence noted "It appears that someone removed the malicious code" but did not pinpoint that the original author did it himself, ~4 hours before PRT closed the plugin. Despite the self-cleanup, PRT still closed the plugin on 2024-06-24 with reason security-issue — likely because the cleanup didn't address the credential compromise itself. Pedro returned a few weeks later (2024-07-14) with a new release attempt under r3117820..r3117826, but the plugin remained closed. Payload identical to blaze-widget: PluginAUTH admin user, 94.156.79.8/AddSites, JS keylogger to hostpdf.co/pinche.php, cross-CMS recon. The plugin's legit Author URI pedrogusmao.digital was retained in the malicious file — useful corroboration that this was a credential compromise, not an ownership transfer.