I really appreciate that this supply breach was discovered by a diligent system operator (tracking a slow HTTP request).
Similarly, the xz breach was uncovered by a diligent developer looking at quirky SSH login performance regressions.
mlyle · 3h ago
Malware used to be pretty obvious for performance penalties.
But we are getting so much faster, and networks are doing so much weird inscrutable stuff now that it’s a lot harder at baseline. And, of course, the baddies are getting sneakier, too, and we are building systems from more components from more diverse sources.
I worry about the long term picture a lot; does all of infrastructure become a little untrustworthy at baseline?
bee_rider · 2h ago
Wasn’t that supposed to be the default assumption? The bad guys start just after your network interface.
This was the argument against WiFi encryption in the old days (who cares about WiFi encryption, the network is assumed evil, so your messages should be encrypted rendering WiFi security moot). Which actually seemed pretty compelling to me. Nowadays, of course, someone will hop on your WiFi and download a bunch of movies without authorization, giving you copyright headaches. But that’s authentication…
alexchantavy · 1h ago
Yeah that's what's called an assume breach/zero trust mindset. In a modern environment you can't rely on the network perimeter being a security boundary, so you need to minimize permissions (so that if an identity is hacked then the blast radius is reduced) and invest in detections and remediation plans.
mlyle · 1h ago
Sure— but now everything has so many dependencies; dependencies are recursive, and the scope exceeds any reasonable audit. And at least getting lucky enough to spot malfeasance is getting less and less likely as performance and noise grows.
SV_BubbleTime · 2h ago
> I worry about the long term picture a lot; does all of infrastructure become a little untrustworthy at baseline?
Isn’t that a scenario that is better?
If you stop trusting potentially insecure systems you start developing hard and solid ones.
I don’t worry about deepfakes or AI malware, I welcome it. It’s stupid that we have insecure systems like unencrypted emails, social security cards, unsigned documents, passwords in PIN codes alone, etc.
mlyle · 1h ago
I think what I am describing is worse. I have a harder and harder time as software and the resultant supply chain surface grows. And my chance to filter, monitor, validate, and audit software gets correspondingly worse as systems do more and more.
More components; recursive dependencies; more remote infrastructure; these are the directions the world is going, and the stuff we need to manage this complexity is not keeping up.
marcosdumay · 1h ago
Hum... If you try to fight the stuff on your first paragraph with more of anything, you'll lose every single time.
You can only fight it with fewer components, fewer recursive dependencies, and less remote infrastructure.
rectang · 57m ago
> We also received a confirmation from one of the staff of RocketGenius that the malware only affects manual downloads and composer installation of the plugin.
Phew.
mpol · 9h ago
Using a nonce before checking the form would have prevented much of the problems described. Or stated differently, it would suddenly require lots of manual labour.
jimjambw · 7h ago
I’m from a technical background and so I understand this but being a Brit sentences like this are always funny to me
theglenn88_ · 6h ago
Not On Normal Courtyard Exercise
stuartjohnson12 · 4h ago
Basically A Creative Kind of Reverse Origin Naming You Make
astura · 5h ago
For those who didn't understand this comment (like me)
Nonce is also British slang for alleged or convicted sex offenders, especially ones involving children.
MarkusQ · 3h ago
That's why you should call them pervs (per-instance values).
darknavi · 1h ago
Why not pedos (pedantic objects)?
projektfu · 1h ago
> put nonces on form
> all spam, normal traffic gone
> received e-mail complaint from sex offender registry because i am downloading too many images
4ndrewl · 4h ago
Makes some discussions with non-technical stakeholders interesting.
mijoharas · 2h ago
I always just call them "n-once" and I read it that way too (which I think is what it comes from right? Number you use once?).
At least that way it stops me from making childish jokes.
doodlebugging · 4h ago
Nice work to identify this malware and take action against it spreading. The article does have one small error though that made me do a double-take.
The most recent update at the top of the page should probably be "Update 7-12-2025 06:00 UTC" instead of the current future date of 08-11-2025. I think the author incremented the wrong digit.
blueflow · 37s ago
Of course the author got confused about which number means which. This is what you deserve when you use US dates but try to make them look like ISO by using dashes, but still fuck up the ordering and padding.
bhk · 59m ago
What does this impact? 90% of sites on the internet? Just a couple of low-traffic sites?
rectang · 12m ago
Somewhere in between.
Gravity Forms is a very popular premium WordPress plugin.
I maintain a handful of WordPress sites (wouldn't have been my choice of platform but whatever) and the design and functionality of Gravity Forms is better than most (aside from it being CPU-hungry). It doesn't generally give me trouble and as a developer I've been happy with how Rocket Genius have interacted with me when I've filed trouble tickets.
A pretty substantial number of small and mid-tier orgs have Gravity Forms installed. I don't know the numbers — the wordpress.org popularity stats mainly reflect installation of free plugins not premium — but there should be a lot of sites handling a lot of traffic.
mmsc · 1h ago
Popped by AB of Ac1dB1tch3z
iambateman · 4h ago
How is this even possible? Is the most likely explanation that a bad actor within GravityForms snuck something in?
I didn’t see anything in the article but I may have missed it.
Y-bar · 4h ago
Could have been a compromised CI pipeline like Jenkins or a developer machine with a malware infection.
giingyui · 8h ago
Should say what plugin it is.
Etheryte · 8h ago
It's in the title? It's the official GravityForms plugin, supposedly version 2.9.13 fixes the issue, but the changelog [0] doesn't even mention the breach.
The way it’s worded in the article it sounds like there are multiple plugins available in that domain.
> one of the plugins that they are trying to download from the official gravityforms.com domain
It’s common for certain plugins to have… plugins of their own. For example if you have a form created with gravityforms and you want to connect it to a CRM or something, there is a screen inside the plugin settings to install it. Which is why I asked. (I don’t know if that’s the case with gravityforms.)
redrove · 7h ago
Honestly it still required a web search on my part to figure out it’s a WordPress plugin. That should be in the title.
autoexec · 6h ago
Any time I read the words vulnerable and plugin I just assume WordPress is involved somehow. I'm convinced that the internet would be instantly more secure if the entire platform died off.
ChrisMarshallNY · 6h ago
It would.
It also would be a lot less useful. A lot of content is published through WordPress.
I suspect an effective approach would be encouraging ways to make WP more secure, or publish a secure platform that can easily be transitioned from WP.
d0mine · 42m ago
Wordpress dominates internet outside megacorps. There are a lot of security issues but there is a lot of utility too.
Similarly, the xz breach was uncovered by a diligent developer looking at quirky SSH login performance regressions.
But we are getting so much faster, and networks are doing so much weird inscrutable stuff now that it’s a lot harder at baseline. And, of course, the baddies are getting sneakier, too, and we are building systems from more components from more diverse sources.
I worry about the long term picture a lot; does all of infrastructure become a little untrustworthy at baseline?
This was the argument against WiFi encryption in the old days (who cares about WiFi encryption, the network is assumed evil, so your messages should be encrypted rendering WiFi security moot). Which actually seemed pretty compelling to me. Nowadays, of course, someone will hop on your WiFi and download a bunch of movies without authorization, giving you copyright headaches. But that’s authentication…
Isn’t that a scenario that is better?
If you stop trusting potentially insecure systems you start developing hard and solid ones.
I don’t worry about deepfakes or AI malware, I welcome it. It’s stupid that we have insecure systems like unencrypted emails, social security cards, unsigned documents, passwords in PIN codes alone, etc.
More components; recursive dependencies; more remote infrastructure; these are the directions the world is going, and the stuff we need to manage this complexity is not keeping up.
You can only fight it with fewer components, fewer recursive dependencies, and less remote infrastructure.
Phew.
Nonce is also British slang for alleged or convicted sex offenders, especially ones involving children.
At least that way it stops me from making childish jokes.
The most recent update at the top of the page should probably be "Update 7-12-2025 06:00 UTC" instead of the current future date of 08-11-2025. I think the author incremented the wrong digit.
Gravity Forms is a very popular premium WordPress plugin.
I maintain a handful of WordPress sites (wouldn't have been my choice of platform but whatever) and the design and functionality of Gravity Forms is better than most (aside from it being CPU-hungry). It doesn't generally give me trouble and as a developer I've been happy with how Rocket Genius have interacted with me when I've filed trouble tickets.
A pretty substantial number of small and mid-tier orgs have Gravity Forms installed. I don't know the numbers — the wordpress.org popularity stats mainly reflect installation of free plugins not premium — but there should be a lot of sites handling a lot of traffic.
I didn’t see anything in the article but I may have missed it.
[0] https://docs.gravityforms.com/gravityforms-change-log/
https://www.gravityforms.com/blog/security-incident-notice/
> one of the plugins that they are trying to download from the official gravityforms.com domain
It’s common for certain plugins to have… plugins of their own. For example if you have a form created with gravityforms and you want to connect it to a CRM or something, there is a screen inside the plugin settings to install it. Which is why I asked. (I don’t know if that’s the case with gravityforms.)
It also would be a lot less useful. A lot of content is published through WordPress.
I suspect an effective approach would be encouraging ways to make WP more secure, or publish a secure platform that can easily be transitioned from WP.