WP Beacon

Scroll To Top

scroll-top · by satrya · wordpress.org ↗ · SVN ↗
Acquired by Anadnet (PUC update-channel hijack campaign). Previously owned by Benjamin (@milkitall). New committers from that team's naming convention are expected and will not fire takeover events. source ↗
This plugin is closed on wordpress.org. Closed 2026-04-26.
Active installs
20k+
Current version
1.5.6
Added
Last updated
First seen by beacon
10d ago
Total downloads

Audits (1)

Malicious Audit #12 baseline → head 1.5.3 7d ago

Update-checker hijack with active stored-XSS / RCE primitives served from a Panama-fronted C2.

Read full audit →

Alerts (0)

No open alerts.

Show 10 resolved alerts
Medium committer_younger_than_plugin Resolved · audit:malicious 2026-04-30 19:52:33 (1d ago)
Slugscroll-top
Committer slug6hourcreative
Committer display name6 Hour Creative
Committer employer
Committer member since2016-07-29
Committer first commit2016-09-10 03:20:46
Committer commit count4
Plugin listed authorsatrya
Earliest plugin commit2014-02-21 23:26:32
Plugin age at join days931
Committer age at join days43
Active installs20,000
View raw JSON
{
    "slug": "scroll-top",
    "committer_slug": "6hourcreative",
    "committer_display_name": "6 Hour Creative",
    "committer_employer": null,
    "committer_member_since": "2016-07-29",
    "committer_first_commit": "2016-09-10 03:20:46",
    "committer_commit_count": 4,
    "plugin_listed_author": "satrya",
    "earliest_plugin_commit": "2014-02-21 23:26:32",
    "plugin_age_at_join_days": 931,
    "committer_age_at_join_days": 43,
    "active_installs": 20000
}
Low plugin_closed Resolved · audit:malicious 2026-04-30 19:52:33 (1d ago)
Slugscroll-top
Closed reason
Closed date2026-04-26 00:00:00
Active installs20,000
View raw JSON
{
    "slug": "scroll-top",
    "closed_reason": "",
    "closed_date": "2026-04-26 00:00:00",
    "active_installs": 20000
}
Medium contributor_added Resolved · audit:malicious 2026-04-30 19:52:33 (1d ago)
Slugscroll-top
New contributorssatrya
Active installs20,000
View raw JSON
{
    "slug": "scroll-top",
    "new_contributors": [
        "satrya"
    ],
    "active_installs": 20000
}
Critical code_pattern Resolved · audit:malicious 2026-04-27 11:03:12 (5d ago)
Slugscroll-top
Patternpuc_update_hijack
Kindbuiltin
Version1.5.3
Hit count1
First hit
File
scroll-top.php
Line
42
Snippet
$UpdateChecker = PucFactory::buildUpdateChecker(
Explanationplugin calls `::buildUpdateChecker()` — the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.
Shapehijack
Urlhttps://updates.cdnstaticsync.com/updates/?action=get_metadata&slug=scroll-top
Url hostupdates.cdnstaticsync.com
Slug argscroll-top
View raw JSON
{
    "slug": "scroll-top",
    "pattern": "puc_update_hijack",
    "kind": "builtin",
    "version": "1.5.3",
    "hit_count": 1,
    "first_hit": {
        "file": "scroll-top.php",
        "line": 42,
        "snippet": "$UpdateChecker = PucFactory::buildUpdateChecker("
    },
    "explanation": "plugin calls `::buildUpdateChecker()` \u2014 the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.",
    "shape": "hijack",
    "url": "https://updates.cdnstaticsync.com/updates/?action=get_metadata&slug=scroll-top",
    "url_host": "updates.cdnstaticsync.com",
    "slug_arg": "scroll-top"
}
Critical code_pattern Resolved · audit:malicious 2026-04-24 23:33:04 (7d ago)
Slugscroll-top
Patterncdnstaticsync.com
Kindioc:domain
Version1.5.3
Hit count1
First hit
File
scroll-top.php
Line
43
Snippet
'https://updates.cdnstaticsync.com/updates/?action=get_metadata&slug=scroll-top', //Metadata URL.
Explanation
View raw JSON
{
    "slug": "scroll-top",
    "pattern": "cdnstaticsync.com",
    "kind": "ioc:domain",
    "version": "1.5.3",
    "hit_count": 1,
    "first_hit": {
        "file": "scroll-top.php",
        "line": 43,
        "snippet": "'https://updates.cdnstaticsync.com/updates/?action=get_metadata&slug=scroll-top', //Metadata URL."
    },
    "explanation": null
}
Critical code_pattern Resolved · audit:malicious 2026-04-24 23:33:04 (7d ago)
Slugscroll-top
Patternupdates.cdnstaticsync.com
Kindioc:domain
Version1.5.3
Hit count1
First hit
File
scroll-top.php
Line
43
Snippet
'https://updates.cdnstaticsync.com/updates/?action=get_metadata&slug=scroll-top', //Metadata URL.
Explanation
View raw JSON
{
    "slug": "scroll-top",
    "pattern": "updates.cdnstaticsync.com",
    "kind": "ioc:domain",
    "version": "1.5.3",
    "hit_count": 1,
    "first_hit": {
        "file": "scroll-top.php",
        "line": 43,
        "snippet": "'https://updates.cdnstaticsync.com/updates/?action=get_metadata&slug=scroll-top', //Metadata URL."
    },
    "explanation": null
}
Critical code_pattern Resolved · audit:malicious 2026-04-24 23:33:04 (7d ago)
Slugscroll-top
Patterncdnstaticsync
Kindioc:code_pattern
Version1.5.3
Hit count1
First hit
File
scroll-top.php
Line
43
Snippet
'https://updates.cdnstaticsync.com/updates/?action=get_metadata&slug=scroll-top', //Metadata URL.
Explanation
View raw JSON
{
    "slug": "scroll-top",
    "pattern": "cdnstaticsync",
    "kind": "ioc:code_pattern",
    "version": "1.5.3",
    "hit_count": 1,
    "first_hit": {
        "file": "scroll-top.php",
        "line": 43,
        "snippet": "'https://updates.cdnstaticsync.com/updates/?action=get_metadata&slug=scroll-top', //Metadata URL."
    },
    "explanation": null
}
Critical code_pattern Resolved · audit:malicious 2026-04-24 23:25:12 (7d ago)
Slugscroll-top
Patternpuc_update_hijack
Kindbuiltin
Version1.5.3
Hit count2
First hit
File
scroll-top.php
Line
42
Snippet
$UpdateChecker = PucFactory::buildUpdateChecker(
Explanationplugin calls `::buildUpdateChecker()` — the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.
View raw JSON
{
    "slug": "scroll-top",
    "pattern": "puc_update_hijack",
    "kind": "builtin",
    "version": "1.5.3",
    "hit_count": 2,
    "first_hit": {
        "file": "scroll-top.php",
        "line": 42,
        "snippet": "$UpdateChecker = PucFactory::buildUpdateChecker("
    },
    "explanation": "plugin calls `::buildUpdateChecker()` \u2014 the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal."
}
Critical code_scan_delta Resolved · audit:malicious 2026-04-24 23:23:43 (7d ago)
Slugscroll-top
Previous version1.5.3
Current version1.5.3
New findings
PatternKindFileLineSnippetConfidence
puc_update_hijackbuiltinscroll-top.php42$UpdateChecker = PucFactory::buildUpdateChecker(high
puc_update_hijackbuiltinplugin-update-checker/Puc/v5p2/PucFactory.php54return self::buildUpdateChecker($metadataUrl, $fullPath, $slug, $checkPeriod, $optionName, $muPluginFile);high
New finding count2
View raw JSON
{
    "slug": "scroll-top",
    "previous_version": "1.5.3",
    "current_version": "1.5.3",
    "new_findings": [
        {
            "pattern": "puc_update_hijack",
            "kind": "builtin",
            "file": "scroll-top.php",
            "line": 42,
            "snippet": "$UpdateChecker = PucFactory::buildUpdateChecker(",
            "confidence": "high"
        },
        {
            "pattern": "puc_update_hijack",
            "kind": "builtin",
            "file": "plugin-update-checker/Puc/v5p2/PucFactory.php",
            "line": 54,
            "snippet": "return self::buildUpdateChecker($metadataUrl, $fullPath, $slug, $checkPeriod, $optionName, $muPluginFile);",
            "confidence": "high"
        }
    ],
    "new_finding_count": 2
}
Medium domain_younger_than_plugin Resolved · no_longer_matches 2026-04-24 06:14:50 (8d ago)
Slugscroll-top
Domainyour-api.com
Domain sourcec2_http_call
Domain registered at2022-05-02
Plugin earliest commit2014-02-21 23:26:32
Plugin latest release2023-11-21 20:27:00
Gap days2,991
Domain age at release568
Active installs20,000
View raw JSON
{
    "slug": "scroll-top",
    "domain": "your-api.com",
    "domain_source": "c2_http_call",
    "domain_registered_at": "2022-05-02",
    "plugin_earliest_commit": "2014-02-21 23:26:32",
    "plugin_latest_release": "2023-11-21 20:27:00",
    "gap_days": 2991,
    "domain_age_at_release": 568,
    "active_installs": 20000
}

SVN committers (4)

Accounts with actual commit access to scroll-top on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
Ga Satrya 2010-05-07 51 2014-02-22 · r862831 2023-11-21 · r2999781
Idenovasi 2019-02-07 5 2019-08-07 · r2135418 2021-10-24 · r2618997
6 Hour Creative Young account 2016-07-29 4 2016-09-10 · r1493590 2016-09-10 · r1493769
plugin-master 2007-03-09 1 2014-02-21 · r862679 2014-02-21 · r862679

Readme contributors (2)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
Ga Satrya 2010-05-07 51 commits Active
Benjamin 2023-10-29 Active

Versions (10 most recent)

Version Released Download
1.5.3 2023-11-21 · 2y ago zip
1.5.2 2023-11-05 · 2y ago zip
1.5.1 2023-10-30 · 2y ago zip
1.5 2023-10-30 · 2y ago zip
1.4.1 2022-08-17 · 3y ago zip
1.4.0 2022-08-16 · 3y ago zip
1.3.0 2022-07-05 · 3y ago zip
1.2.0 2021-10-24 · 4y ago zip
1.1.1 2021-02-09 · 5y ago zip
1.1.0 2020-10-17 · 5y ago zip