via wordfence.com => original post link
Update: As of 12:36PM EST, another plugin has been infected. We’ve updated the list below to include this fourth plugin and the plugins team has been notified.
Update: As of 2:20 PM EST, two more plugins appear to have malicious commits, however, the releases have not officially been made meaning no sites should be affected currently. We’ve updated the list below to include these additional plugins and the plugins team has been notified.
On June 24th, 2024, we became aware of a supply chain attack targeting multiple WordPress plugins hosted on WordPress.org. An attacker was able to successfully compromise five WordPress.org accounts, where the developers were utilizing credentials previously found in data breaches, and commit malicious code to the plugins that would inject new administrative user accounts along with SEO Spam and cryptominers whenever the site owner updates the plugin to the latest version.