NextScripts: Social Networks Auto-Poster

social-networks-auto-poster-facebook-twitter-g · by nextscripts · wordpress.org ↗ · SVN ↗

Acquired by NextScripts. New committers from that team's naming convention are expected and will not fire takeover events. source ↗

Active installs: 30k+
Current version: 4.4.7
Added: 2012-03-02
Last updated: 2026-02-26 (2mo ago)
First seen by beacon: 10d ago
Total downloads: 7,436,641

Alerts (0)

No open alerts.

Show 4 resolved alerts

Critical code_pattern Resolved · false_positive_legit_ip_use 2026-04-30 15:25:28 (1d ago)

Slug	social-networks-auto-poster-facebook-twitter-g
Pattern	`hardcoded_ip_url`
Kind	`builtin`
Version	`4.4.7`
Hit count	1
First hit	File `inc/nxs_class_snap.php` Line 105 Snippet `nxs_cURLTest("http://45.79.4.45/", "HTTPS to NXSA", "NXS");`
Explanation	plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.

View raw JSON

{
    "slug": "social-networks-auto-poster-facebook-twitter-g",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "4.4.7",
    "hit_count": 1,
    "first_hit": {
        "file": "inc/nxs_class_snap.php",
        "line": 105,
        "snippet": "nxs_cURLTest(\"http://45.79.4.45/\", \"HTTPS to NXSA\", \"NXS\");"
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}

Critical code_scan_delta Resolved · false_positive_cdn_known_good 2026-04-30 07:41:44 (2d ago)

Slug social-networks-auto-poster-facebook-twitter-g

Previous version 4.4.7

Current version 4.4.7

New findings

Pattern	Kind	File	Line	Snippet	Confidence
`hardcoded_ip_url`	`builtin`	`inc/nxs_class_snap.php`	105	`nxs_cURLTest("http://45.79.4.45/", "HTTPS to NXSA", "NXS");`	`high`

New finding count 1

View raw JSON

{
    "slug": "social-networks-auto-poster-facebook-twitter-g",
    "previous_version": "4.4.7",
    "current_version": "4.4.7",
    "new_findings": [
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "inc/nxs_class_snap.php",
            "line": 105,
            "snippet": "nxs_cURLTest(\"http://45.79.4.45/\", \"HTTPS to NXSA\", \"NXS\");",
            "confidence": "high"
        }
    ],
    "new_finding_count": 1
}

Medium domain_younger_than_plugin Resolved · no_longer_matches 2026-04-24 04:03:19 (8d ago)

Slug	social-networks-auto-poster-facebook-twitter-g
Domain	`nextscripts.net`
Domain source	`c2_http_call`
Domain registered at	2021-06-23
Plugin earliest commit	2012-03-02 11:09:36
Plugin latest release	2017-10-16 23:49:28
Gap days	3,399
Domain age at release	-1,345
Active installs	30,000

View raw JSON

{
    "slug": "social-networks-auto-poster-facebook-twitter-g",
    "domain": "nextscripts.net",
    "domain_source": "c2_http_call",
    "domain_registered_at": "2021-06-23",
    "plugin_earliest_commit": "2012-03-02 11:09:36",
    "plugin_latest_release": "2017-10-16 23:49:28",
    "gap_days": 3399,
    "domain_age_at_release": -1345,
    "active_installs": 30000
}

Medium domain_younger_than_plugin Resolved · no_longer_matches 2026-04-24 04:03:19 (8d ago)

Slug	social-networks-auto-poster-facebook-twitter-g
Domain	`u.to`
Domain source	`c2_http_call`
Domain registered at	2021-11-18
Plugin earliest commit	2012-03-02 11:09:36
Plugin latest release	2017-10-16 23:49:28
Gap days	3,547
Domain age at release	-1,493
Active installs	30,000

View raw JSON

{
    "slug": "social-networks-auto-poster-facebook-twitter-g",
    "domain": "u.to",
    "domain_source": "c2_http_call",
    "domain_registered_at": "2021-11-18",
    "plugin_earliest_commit": "2012-03-02 11:09:36",
    "plugin_latest_release": "2017-10-16 23:49:28",
    "gap_days": 3547,
    "domain_age_at_release": -1493,
    "active_installs": 30000
}

SVN committers (2)

Accounts with actual commit access to social-networks-auto-poster-facebook-twitter-g on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer	Member since	Commits	First commit	Latest commit
NextScripts Young account	2012-03-01	200	2012-03-02 · r513511	2026-02-26 · r3470733
plugin-master	2007-03-09	1	2012-03-02 · r513443	2012-03-02 · r513443

Readme contributors (2)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor	Member since	SVN access	Status
NextScripts	2012-03-01	200 commits	Active
okapy	2012-03-02	—	Active

Versions (13 most recent)

Version	Released	Download
3.8.8	2017-10-16 · 8y ago	zip
3.4.31	2016-03-07 · 10y ago	zip
3.2.3	2014-03-06 · 12y ago	zip
3.1.2	2014-01-24 · 12y ago	zip
3.0.9	2013-12-03 · 12y ago	zip
2.7.22	2013-11-01 · 12y ago	zip
2.7.14	2013-06-11 · 12y ago	zip
2.6.3	2013-02-25 · 13y ago	zip
2.5.5	2013-01-29 · 13y ago	zip
2.4.8	2013-01-03 · 13y ago	zip
1.9.13	2012-09-12 · 13y ago	zip
1.7.0	2012-06-05 · 13y ago	zip
1.6.1	2012-05-09 · 13y ago	zip