Essentially a supply chain attack

  • peakperformancedigital

    (@peakperformancedigital)


    1 year, 8 months ago

    This is not Advanced Custom Fields, this is a “hacked up, bastardized simulacra” of Advanced Custom Fields that WordPress copied and put in ACF’s place. This move from WordPress to replace the legitimate ACF plugin with their version is essentially a Supply Chain Attack, and it should have with even the slightest security conscious website owner or administrator concerned.

Viewing 5 replies - 1 through 5 (of 5 total)
  • kaushikc

    (@kaushikc)

    1 year, 8 months ago

    How is this an “attack” ?

    • This reply was modified 1 year, 8 months ago by kaushikc.
    joshgreenuk

    (@joshgreenuk)

    1 year, 7 months ago

    How is it not an attack? 2 million plus websites installed a plugin trusted by the community. Everyone that installed this plugin is now running untrusted and unwanted PHP code on their website that is not by the author. This is a supply chain attack. PHP has been essentially been force pushed to corporate websites. The risk factor for using WP in the future given this can happen at any time again is off the charts.

    kaushikc

    (@kaushikc)

    1 year, 7 months ago

    Yes, however there was no malicious code injection or intent to harm the users for this to be classified as an “attack”.

    Thread Starter peakperformancedigital

    (@peakperformancedigital)

    1 year, 7 months ago

    The very act of replacing trusted code from one vendor with untrusted code from another vendor is malicious.

    kaushikc

    (@kaushikc)

    1 year, 7 months ago

    Act maybe malicious but the code is not.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Essentially a supply chain attack’ is closed to new replies.