On Monday June 24th, 2024 the Wordfence Threat Intelligence team was made aware of the presence of malware in the Social Warfare repository plugin. After adding the malicious code to our Threat Intelligence Database and examining it, we discovered additional affected plugins and continued monitoring the situation throughout the week. More plugins were affected prior to WordPress.org forcing a password reset. Malware signatures were written by our analysts the same day as the initial notification of compromise and were released for our Wordfence Premium, Wordfence Care, and Wordfence Response users on June 25, 2024. Free users received the same signatures with a 30 day delay on July 25, 2024. Additional malware signatures were released over the days and weeks that followed to address new malware variants. In today’s blog post we will provide a closer look into how the malware has evolved and update you on what to look out for if you suspect your site might be affected. A New Technique: Credential Exfiltration On July 14, 2024, an affected WordPress agency with a significant number of sites reached out to us after suffering from a major infection as a result of the supply chain attack when their Blaze Widget and Social Warfare plugins were updated. Unaware of this compromise, they noticed several rogue Administrator user accounts on several of their websites days later. Upon further investigation, they discovered the intrusion vector and shared a malware sample with us that…Read More