WP Beacon

Audits

14 malicious audits. · 201 IOCs catalogued.

Verdict: All (38) Malicious (14) Cleaned (6) Suspicious (7) Inconclusive (0) Benign (11) In progress (0)
Malicious Closed by wp.org

Audit #12 Scroll To Top — 20k+ installs

Update-checker hijack with active stored-XSS / RCE primitives served from a Panama-fronted C2. scroll-top (20,000 active installs) was sold by original author Ga Satrya (@gasatrya) to an actor identified as Benjamin (wp…

baseline → head 1.5.3 11 IOCs · 1mo ago
Malicious Closed by wp.org

Audit #43 WP Install From Web — 100 installs

This is a previously-undocumented SiteGuarding supply-chain backdoor burner. It was surfaced by hunting for plugins that WP.org cleaned on closure — i.e. where a Plugin Review Team account force-pushed a code change at …

by safetydev · baseline → head 1.10.1 SiteGuarding cluster · 3 IOCs · 1d ago
Malicious Closed by wp.org

Audit #10 Widget Logic — 100k+ installs

Verdict: malicious. Confirmed supply-chain compromise matching the disclosed attack at anchor.host/how-i-caught-a-wordpress-plugin-supply-chain-attack and covered by TheNextWeb, Yahoo Tech, BigGo, byteiota, and others. …

by widgetlogics · baseline 5.10.4 → head 6.0.0 8 IOCs · 1mo ago
Malicious Closed by wp.org

Audit #13 Quick Page/Post Redirect Plugin — 70k+ installs

The original author intentionally weaponized wordpress.org distribution to seed an out-of-band update channel they controlled — and then served tampered builds through that channel after the wp.org-distributed code went…

by anadnet · baseline 5.2.1 → head 5.2.4 12 IOCs · 2mo ago
Malicious Closed by wp.org

Audit #4 33-plugin suite — 195k+ combined installs

Marketplace acquisition of an established 30-plugin portfolio used as a vehicle for a fleet-wide PHP-deserialization RCE backdoor with on-chain C2 resolution. A buyer identified only as "Kris" purchased the entire Essen…

by essentialplugin · baseline 2.6.6 → head 2.6.9.1 15 IOCs · 1mo ago
Malicious Closed by wp.org

Audit #25 WP Advanced Math Captcha — 6k+ installs

Two distinct supply-chain attack chains in a single 6,000-install plugin, both operated by SiteGuarding (siteguarding.com) through two anonymous wp.org committer accounts. wp.org Plugin Review Team (PRT, plugin-master) …

baseline 2.1.8 → head 2.1.9.1 SiteGuarding cluster · 33 IOCs · 1mo ago
Malicious Closed by wp.org

Audit #26 Web Image Optimization X — 100 installs

Attacker-controlled side-channel update endpoint shipped under the cover of "license validation" — same operator (SiteGuarding) and same sibling-plugin pair as audit #25 (wp-advanced-math-captcha). Where the wp-advanced…

baseline 1.0.8 → head 1.4.0 SiteGuarding cluster · 15 IOCs · 1mo ago
Malicious Closed by wp.org

Audit #42 Speedup Optimization — 100 installs

A previously-undocumented SiteGuarding burner, surfaced by the clean-on-closure hunt and closed in the same 2026-04-07 wave that took down the two documented burners. The backdoor. speedup-optimization.php defines speed…

by charlycharm · baseline → head 1.2.1 SiteGuarding cluster · 3 IOCs · 1d ago
Malicious Closed by wp.org

Audit #45 WP Google Core Web Vitals Fix — 400 installs

A SiteGuarding burner with a full remote-code-execution + persistence backdoor — Tier A. Surfaced by the closed-plugin blob scan (the new payload-decode scanner), which matched cmsplughub.com in the trunk that the old P…

by roshellco · baseline → head 1.0.4 SiteGuarding cluster · 4 IOCs · 1d ago
Malicious Closed by wp.org

Audit #46 Code Quality Control Tool — 50 installs

A SiteGuarding burner with an undisclosed wp-config.php persistence injection — Tier A. Surfaced by the closed-plugin blob scan, which matched safetybis.com in the trunk. The persistence mechanism. Patch_WPconfig_file()…

by nickclarkweb · baseline → head 2.1 SiteGuarding cluster · 3 IOCs · 1d ago
Malicious Closed by wp.org

Audit #47 Magex AI Bot Defender — 10 installs

A SiteGuarding burner that routes through the safetybis.com C2 — Tier B (undisclosed phone-home / proxy, no in-plugin RCE sink). Surfaced by the closed-plugin blob scan via siteguarding.com + safetybis.com references in…

by viktoriasantos · baseline → head 1.5.8 SiteGuarding cluster · 3 IOCs · 1d ago
Malicious Closed by wp.org

Audit #44 ByteDefense Security — — installs

A SiteGuarding security-branded front, surfaced by the clean-on-closure hunt. Unlike the documented closures that left malware in trunk, WP.org's plugin-master force-pushed a "Removing" commit at closure that stripped t…

by lanechristian891 · baseline → head 2.1 SiteGuarding cluster · 3 IOCs · 1d ago
Malicious Closed by wp.org

Audit #48 9-plugin suite — 80 combined installs

Verdict: malicious — a previously-undocumented 2024 wave of nine SiteGuarding supply-chain burner plugins, each on its own throwaway wp.org account. This is a distinct third operational phase of the SiteGuarding operati…

baseline → head (suite — 9 plugins) SiteGuarding cluster · 3 IOCs · 1d ago
Malicious Closed by wp.org

Audit #28 27-plugin suite — 8k+ combined installs

SiteGuarding 27-plugin portfolio (2013-2020) — 15 plugins shipped siteguarding_tools.php v1.7 RCE backdoor INLINE in the plugin folder; 12 sibling plugins shipped phone-home guideline violations. wp.org closed all 27 in…

baseline 1.2 → head 7.5.4 SiteGuarding cluster · 7 IOCs · 1mo ago