Suspect-shape but multiply-unreachable dead code — benign. WPBot's includes/openai/plugin-upgrader/ and includes/integration/openai/plugin-upgrader/ directories ship a self-update class (QCLD_openaiaddon_AutoUpdate) who…
baseline 0.9.0
→ head 8.2.4
· event #1758 · investigator austin
Suspect-shape but structurally unreachable — benign with one regression to flag. YARPP's version_info() matches the high-confidence catalog IOC unserialize_after_remote_call (@unserialize of wp_remote_post body, hardcod…
baseline 1.0
→ head 5.30.11
· event #1741 · investigator austin
Clean — no supply-chain anomaly. Full git-level audit of ilab-media-tools (Media Cloud by interfacelab) covering all 162 published versions back to 2016-07. Single committer for 8 years, zero detection events, zero IOC …
baseline 1.0.0
→ head 4.6.4
· investigator austin
Historical PHP Object Injection chain in Admitad integration — gated since v6.0.0 (2023-08-21), endpoint dead. Two compounding patterns in application/libs/admitad/AdmitadProducts.php + application/libs/RestClient.php f…
baseline 11.0.0
→ head 11.0.0
· event #1469 · investigator beacon-scan-skill
Confirmed malicious supply-chain compromise. Between 2024-04-05 and 2024-06-22 the WarfarePlugins wp.org committer account was used to push six tagged releases (4.4.6.4, 4.4.6.5, 4.4.6.6, 4.4.6.8, 4.4.6.9, 4.4.7.1) cont…
baseline 4.4.6.3
→ head 4.4.7.1
· event #1355 · investigator beacon-scan-skill
Update-checker hijack with active stored-XSS / RCE primitives served from a Panama-fronted C2. scroll-top (20,000 active installs) was sold by original author Ga Satrya (@gasatrya) to an actor identified as Benjamin (wp…
baseline —
→ head 1.5.3
· event #728 · investigator beacon-scan-skill
Who made the change. Committer thanghoang pushed their first commit to this plugin on 2024-07-09, when their WordPress.org account was only 12 days old (created 2024-06-27). New-account commits on established plugins ar…
baseline 5.1
→ head 5.1.1
· event #115 · investigator austin
Verdict: malicious. Confirmed supply-chain compromise matching the disclosed attack at anchor.host/how-i-caught-a-wordpress-plugin-supply-chain-attack and covered by TheNextWeb, Yahoo Tech, BigGo, byteiota, and others. …
baseline 5.10.4
→ head 6.0.0
· event #103 · investigator austin
Verdict: legitimate team onboarding — not a takeover. alexopen is a Smash Balloon employee ("Alex at Smash Balloon" display name), added as a committer to the five Smash Balloon social-feed plugins owned by Awesome Moti…
baseline 6.9.1
→ head 6.10.0
· event #114 · investigator austin
Marketplace acquisition of an established 30-plugin portfolio used as a vehicle for a fleet-wide PHP-deserialization RCE backdoor with on-chain C2 resolution. A buyer identified only as "Kris" purchased the entire Essen…
baseline 2.6.6
→ head 2.6.9.1
· event #104 · investigator austin
The original author intentionally weaponized wordpress.org distribution to seed an out-of-band update channel they controlled — and then served tampered builds through that channel after the wp.org-distributed code went…
baseline 5.2.1
→ head 5.2.4
· investigator manual