When a customer buys a software or plugin from a software vendor, the vendor can run their code on the machine or website of the customer. This exposes the system for injection of malware, etc. into the website. Publishers have started exploiting the trust people put into them by pushing malware into WordPress plugins for making easy money. This is termed as WordPress Supply Chain Attack.
Recently there has been a surge in Supply chain attacks and the reasons for these are obvious. The software vendors want to earn money keeping at stake, the trust of their customers. Behind their malpractices lies their interest of monetizing their plugins already purchased by the users. When a user allows automatic updates for plugins, he opens doors for the vendors to push in any type of malware at whatever time they like. In such cases, the software users might consider opting for Monthly WordPress Maintenance Packages to protect their sites from supply chain attacks as regular maintenance is necessary for the websites to run smoothly. On the other hand, one can also invest in a trustworthy WordPress Plugin development agency for developing certain plugins required by their website which ensures safety from such supply chain attacks through infected plugins.
Earlier this year the Western Government websites were hit by WordPress supply chain attacks. A WordPress plugin named Browsealoud was containing crypto mining code. Over 4000 websites were infected with this malware which was using the visitors CPU to mine monero cryptocurrency. Australian provincial government, Uk National health service website, Uk Information commissioner office are the few of those websites that fell prey to Browsealoud plugin.
WordPress Supply chain attacks have been observed to impact countries around the globe on a large scale. Last year in November one more WordPress plugin, Coinhive, was banned for containing crypto mining code for monereo currency