All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.

Supply Chain Attack Compromises Official GravityForms Plugin Repository

By

taubek

10mo ago· 14 min readenNews
Bagel score 100 of 100
100/100
Golden Brown
Bagelometer

Pulled from the oven just right. Trustworthy, fact-dense, deeply satisfying.

Score100TypenewsSentimentvery negative

Summary

A supply chain attack compromised the official GravityForms plugin repository, injecting backdoors into legitimate plugin downloads. The breach allowed attackers to execute remote commands on WordPress sites using the plugin. The article details the discovery of malicious code, the IP addresses involved (193.160.101.6), the use of a gf_api_token parameter for command-and-control, and the ongoing investigation. The attack targeted multiple versions of the plugin (2.9.11.1 and 2.9.12), and the backdoor code was designed to appear as legitimate plugin functionality. The article provides technical analysis of the malware's behavior, including file exfiltration and remote code execution capabilities.

Key quotes

· 3 pulled
The IP address 193.160.101.6 tries to request, for every site, the following URLs with a spoofed user agent
/wp-content/plugins/gravityforms_2.9.12/notification.php?gf_api_token=Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3&action=ping
/wp-content/plugins/gravityforms_2.9.11.1/notification.php?gf_api_token=Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3&action=ping
Snippet from the RSS feed
Update 7-12-2025 06:00 UTC: We have observed some activity in regard to one of the backdoors that involves a gf_api_token parameter. The IP address 193.160.101.

You might also wanna read

317 npm Packages Compromised in Mini Shai-Hulud Supply Chain Attack

A major npm supply chain attack occurred on May 19, 2026, when the npm account of maintainer "atool" was compromised. The attacker published

safedep.io·13d ago

Large-Scale Supply Chain Attack: 30 WordPress Plugins Purchased and Backdoored

The article details a large-scale supply chain attack on WordPress plugins where an individual purchased 30 plugins and systematically plant

anchor.host·1mo ago

DuckDB npm Account Breached in Ongoing Supply Chain Attack with Wallet-Drainer Malware

The ongoing npm supply chain attack that previously compromised prolific author Qix has now spread to the DuckDB npm account (duckdb_admin).

socket.dev·8mo ago

Popular npm packages debug and chalk compromised with crypto-intercepting malware

Starting September 8th, 2023, the popular npm packages "debug" and "chalk" were compromised with malicious code. These packages, which colle

aikido.dev·8mo ago

Attackers exploit FortiClient EMS vulnerability (CVE-2026-35616) to deliver infostealer to enterprise devices

Attackers are exploiting a known vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) to deliver a broad-spectru

helpnetsecurity.com·4h ago

Critical Gogs RCE bug (CVSS 9.4) remains unpatched; exploit module now public

A critical remote code execution (RCE) vulnerability rated 9.4/10 has been discovered in Gogs, a popular open-source self-hosted Git service

theregister.com·5h ago