On Monday June 24th, 2024 the Wordfence Threat Intelligence team became aware of a plugin, Social Warfare, that was injected with malicious code on June 22, 2024 based on a forum post by the WordPress.org Plugin Review team. We immediately checked the malicious file and uploaded it to our internal Threat Intelligence platform, which identified four additional plugins that were infected with similar code. We then reached out to the WordPress plugins team to alert them about the four additional plugins but have not yet received a response, though it appears the plugins have been delisted.
As of this moment, we know that the following plugins are infected:
At this stage, we know that the injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server. In addition, it appears the threat actor also injected malicious JavaScript into the footer of websites that appears to add SEO spam throughout the website. The injected malicious code is not very sophisticated or heavily obfuscated and contains comments throughout making it easy to follow. The earliest injection appears to date back to June 21st, 2024, and the threat actor was still actively making updates to plugins as recently as 5 hours ago. At this point we do not know exactly how the threat actor was able to infect these plugins.
Currently, the Wordfence Threat Intelligence team is performing a deeper analysis and will provide more information as it becomes available. We are actively working on a set of malware signatures to provide detection for these compromised plugins, however, if you are running a malicious version of one of the plugins, you will be notified by the Wordfence Vulnerability Scanner that you have a vulnerability on your site and you should update the plugin where available or remove it ASAP.
Indicators of Compromise
If you have any of these plugins installed, you should consider your installation compromised and immediately go into incident response mode. We recommend checking your WordPress administrative user accounts and deleting any that are unauthorized, along with running a complete malware scan with the Wordfence plugin or Wordfence CLI and removing any malicious code.
You can view our full guide to cleaning your WordPress site here, or you can sign up for Wordfence Care or Wordfence Response where we offer complete incident response services for an entire year 24/7/365.
The post Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Plugins appeared first on Wordfence.