via wordfence.com => original post link
On Monday June 24th, 2024 the Wordfence Threat Intelligence team was made aware of the presence of malware in the Social Warfare repository plugin (see post Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Plugins). After adding the malicious code to our Threat Intelligence Database and examining it, we quickly discovered that several other plugins were also affected. The affected plugins and versions at that time were listed in our initial blog post alerting users to the incident.
In case you missed the previous post, Developer Accounts Compromised Due to Credential Reuse in WordPress.org Supply Chain Attack, it was determined that the incident occurred due to developers reusing passwords compromised in external data breaches.
The uncovered malware, that created administrator users with the usernames PluginAUTH, PluginGuest, and Options, was added to our Threat Intelligence Database on June 24, 2024, and series of malware signatures were written for detection. Wordfence Premium, Care and Response users, as well as paid Wordfence CLI customers, received these malware signatures immediately on June 25th. Wordfence free users, and Wordfence CLI free users, will receive these signatures after a 30 day delay on July 25th, 2024. All Wordfence users will be notified by the Wordfence plugin and Wordfence CLI if they are running a vulnerable version of one of the plugins, and they should update the plugins immediately where available.