I really appreciate that this supply breach was discovered by a diligent system operator (tracking a slow HTTP request).
Similarly, the xz breach was uncovered by a diligent developer looking at quirky SSH login performance regressions.
mlyle 210 days ago [-]
Malware used to be pretty obvious for performance penalties.
But we are getting so much faster, and networks are doing so much weird inscrutable stuff now that it’s a lot harder at baseline. And, of course, the baddies are getting sneakier, too, and we are building systems from more components from more diverse sources.
I worry about the long term picture a lot; does all of infrastructure become a little untrustworthy at baseline?
bee_rider 210 days ago [-]
Wasn’t that supposed to be the default assumption? The bad guys start just after your network interface.
This was the argument against WiFi encryption in the old days (who cares about WiFi encryption, the network is assumed evil, so your messages should be encrypted rendering WiFi security moot). Which actually seemed pretty compelling to me. Nowadays, of course, someone will hop on your WiFi and download a bunch of movies without authorization, giving you copyright headaches. But that’s authentication…
alexchantavy 209 days ago [-]
Yeah that's what's called an assume breach/zero trust mindset. In a modern environment you can't rely on the network perimeter being a security boundary, so you need to minimize permissions (so that if an identity is hacked then the blast radius is reduced) and invest in detections and remediation plans.
mlyle 209 days ago [-]
Sure— but now everything has so many dependencies; dependencies are recursive, and the scope exceeds any reasonable audit. And at least getting lucky enough to spot malfeasance is getting less and less likely as performance and noise grows.
vasco 209 days ago [-]
> will hop on your WiFi and download a bunch of movies without authorization, giving you copyright headaches
It's funny how the copyright lobby as brainwashed us so much that the worse you can think of someone in your wifi can do is download movies. What about, you know, actual crime? Wire fraud, planning terrorist attacks etc from your network? But we think of downloading movies.
mlyle 208 days ago [-]
I think this is the most likely one. If you're going to do serious terrorism, A) you probably don't need tons of bits, B) you probably take opsec seriously and want a better cut-out than using a neighbor's wifi.
But if you want to download movies, an open nearby wifi sounds close and convenient.
SV_BubbleTime 210 days ago [-]
> I worry about the long term picture a lot; does all of infrastructure become a little untrustworthy at baseline?
Isn’t that a scenario that is better?
If you stop trusting potentially insecure systems you start developing hard and solid ones.
I don’t worry about deepfakes or AI malware, I welcome it. It’s stupid that we have insecure systems like unencrypted emails, social security cards, unsigned documents, passwords in PIN codes alone, etc.
mlyle 209 days ago [-]
I think what I am describing is worse. I have a harder and harder time as software and the resultant supply chain surface grows. And my chance to filter, monitor, validate, and audit software gets correspondingly worse as systems do more and more.
More components; recursive dependencies; more remote infrastructure; these are the directions the world is going, and the stuff we need to manage this complexity is not keeping up.
marcosdumay 209 days ago [-]
Hum... If you try to fight the stuff on your first paragraph with more of anything, you'll lose every single time.
You can only fight it with fewer components, fewer recursive dependencies, and less remote infrastructure.
mlyle 209 days ago [-]
Sure. Plenty of my stuff “lives” similarly to the mid-90s. But that is not the way of the world and is increasingly giving up a lot.
SV_BubbleTime 209 days ago [-]
I struggle with what I consider a complexity crisis.
While at the same time, I believe the purpose of all things is to increase their entropy.
So… I think that is the next filter or natural selection for us. That we make this so complex we crash, or we get better.
anthonyeden 209 days ago [-]
The official Gravity Forms post [0] indicates you were only compromised if you installed Gravity Forms via direct website download or Composer install.
From what I can see, Composer install methods use the same Gravity Forms API to fetch the install package as the auto-update feature within the plugin. Their WP-CLI plugin uses the same mechanism too.
It will be interesting to see if the Gravity Forms developers engage a third party security firm to investigate this incident. So far they have not mentioned it.
> We also received a confirmation from one of the staff of RocketGenius that the malware only affects manual downloads and composer installation of the plugin.
Phew.
mpol 210 days ago [-]
Using a nonce before checking the form would have prevented much of the problems described. Or stated differently, it would suddenly require lots of manual labour.
jimjambw 210 days ago [-]
I’m from a technical background and so I understand this but being a Brit sentences like this are always funny to me
astura 210 days ago [-]
For those who didn't understand this comment (like me)
Nonce is also British slang for alleged or convicted sex offenders, especially ones involving children.
MarkusQ 210 days ago [-]
That's why you should call them pervs (per-instance values).
darknavi 209 days ago [-]
Why not pedos (pedantic objects)?
4ndrewl 210 days ago [-]
Makes some discussions with non-technical stakeholders interesting.
mijoharas 210 days ago [-]
I always just call them "n-once" and I read it that way too (which I think is what it comes from right? Number you use once?).
At least that way it stops me from making childish jokes.
projektfu 210 days ago [-]
> put nonces on form
> all spam, normal traffic gone
> received e-mail complaint from sex offender registry because i am downloading too many images
brewtide 208 days ago [-]
I was this close to putting it on a car license plate unaware of the British use.
I've never been happier to just, check, before clicking a submit button.
theglenn88_ 210 days ago [-]
Not On Normal Courtyard Exercise
stuartjohnson12 210 days ago [-]
Basically A Creative Kind of Reverse Origin Naming You Make
doodlebugging 210 days ago [-]
Nice work to identify this malware and take action against it spreading. The article does have one small error though that made me do a double-take.
The most recent update at the top of the page should probably be "Update 7-12-2025 06:00 UTC" instead of the current future date of 08-11-2025. I think the author incremented the wrong digit.
blueflow 209 days ago [-]
Of course the author got confused about which number means which. This is what you deserve when you use US dates but try to make them look like ISO by using dashes, but still fuck up the ordering and padding.
209 days ago [-]
bhk 209 days ago [-]
What does this impact? 90% of sites on the internet? Just a couple of low-traffic sites?
rectang 209 days ago [-]
Somewhere in between.
Gravity Forms is a very popular premium WordPress plugin.
I maintain a handful of WordPress sites (wouldn't have been my choice of platform but whatever) and the design and functionality of Gravity Forms is better than most (aside from it being CPU-hungry). It doesn't generally give me trouble and as a developer I've been happy with how Rocket Genius have interacted with me when I've filed trouble tickets.
A pretty substantial number of small and mid-tier orgs have Gravity Forms installed. I don't know the numbers — the wordpress.org popularity stats mainly reflect installation of free plugins not premium — but there should be a lot of sites handling a lot of traffic.
EDIT: That's the number of sites which could have been affected. Fortunately only a small number of sites actually got the compromised package because it didn't enter the main automatic distribution chain.
dotancohen 209 days ago [-]
I haven't done Wordpress since before 5.0 (Gutenberg), but even then (2017) Gravity Forms was used on almost every site.
chuckreynolds 209 days ago [-]
seemingly small amount of sites that manually downloaded that version from the site as opposed to 'most' that get premium(paid) update files through their API gateway (that I think calls file from AWS).
> The Gravity API service that handles licensing, automatic updates, and the installation of add-ons initiated from within the Gravity Forms plugin was never compromised. All package updates managed through that service are unaffected.
Dazzler5648 209 days ago [-]
"The infection does not seem to be widespread, which could mean that the backdoored plugin was only available for a very short period of time and only delivered to a small number of users."
mmsc 209 days ago [-]
Popped by AB of Ac1dB1tch3z
hammyhavoc 208 days ago [-]
How long did this go unnoticed for?
iambateman 210 days ago [-]
How is this even possible? Is the most likely explanation that a bad actor within GravityForms snuck something in?
I didn’t see anything in the article but I may have missed it.
Y-bar 210 days ago [-]
Could have been a compromised CI pipeline like Jenkins or a developer machine with a malware infection.
Hilift 209 days ago [-]
Do you allow permissive outgoing Internet traffic from your servers? To domains recently created? This malware is for you.
hammyhavoc 208 days ago [-]
Ten bucks says it's prompt hijacking an LLM being used to code and reference docs.
kristianc 209 days ago [-]
Am I alone in thinking it's kind of nuts that there's a $259 extension for Web Forms in the first place. Is this WordPress being horribly broken, the WordPress ecosystem being a playground for grifters, naive non-technical WordPress users or all three?
Y-bar 209 days ago [-]
Why do you think so? $259 is less than a day’s worth of freelance invoice by the hour.
Web forms and especially the business logic powering them in the backend can quickly become very complex. Just check out some templates you get out of the box https://www.gravityforms.com/form-templates/
I don’t use Wordpress, but this seems like an actively developed, supported, quality plug-in.
This entitled assumption that nothing should cost money up front is hurting everyone in they long run because it drives developers into monetising using ads and invasive tracking.
hammyhavoc 208 days ago [-]
So quality and actively developed that it suffered a pretty embarrassing supply chain attack? Yeah, that isn't good.
Y-bar 208 days ago [-]
Effectively all software experiences security issues. If you think "never has any disclosed attacks" is a sign of quality, then that speaks more about you than it does these developers.
hammyhavoc 207 days ago [-]
Strange non-sequitur masked ad hominem.
Y-bar 207 days ago [-]
Glad you and I now agree that your attack on the developers were unwarranted. Have a nice day!
pacifika 209 days ago [-]
WordPress usecases are wider than most people expect.
sen 209 days ago [-]
Definitely all 3.
bombcar 209 days ago [-]
$259 is dirt cheap for a tool that does what you want:need.
For many people with Wordpress sites they’re going to spend way more than that having someone setup the forms for them.
stebian_dable 209 days ago [-]
It’s GPLv2+ so you can grab a copy from a friend legally for free and vibe code around the possible copy protections.
kmeisthax 209 days ago [-]
[dead]
giingyui 210 days ago [-]
Should say what plugin it is.
Etheryte 210 days ago [-]
It's in the title? It's the official GravityForms plugin, supposedly version 2.9.13 fixes the issue, but the changelog [0] doesn't even mention the breach.
Honestly it still required a web search on my part to figure out it’s a WordPress plugin. That should be in the title.
autoexec 210 days ago [-]
Any time I read the words vulnerable and plugin I just assume WordPress is involved somehow. I'm convinced that the internet would be instantly more secure if the entire platform died off.
ChrisMarshallNY 210 days ago [-]
It would.
It also would be a lot less useful. A lot of content is published through WordPress.
I suspect an effective approach would be encouraging ways to make WP more secure, or publish a secure platform that can easily be transitioned from WP.
d0mine 209 days ago [-]
Wordpress dominates internet outside megacorps. There are a lot of security issues but there is a lot of utility too.
swang 209 days ago [-]
you're not suppose to editorialize or change the title per HN rules.
Similarly, the xz breach was uncovered by a diligent developer looking at quirky SSH login performance regressions.
But we are getting so much faster, and networks are doing so much weird inscrutable stuff now that it’s a lot harder at baseline. And, of course, the baddies are getting sneakier, too, and we are building systems from more components from more diverse sources.
I worry about the long term picture a lot; does all of infrastructure become a little untrustworthy at baseline?
This was the argument against WiFi encryption in the old days (who cares about WiFi encryption, the network is assumed evil, so your messages should be encrypted rendering WiFi security moot). Which actually seemed pretty compelling to me. Nowadays, of course, someone will hop on your WiFi and download a bunch of movies without authorization, giving you copyright headaches. But that’s authentication…
It's funny how the copyright lobby as brainwashed us so much that the worse you can think of someone in your wifi can do is download movies. What about, you know, actual crime? Wire fraud, planning terrorist attacks etc from your network? But we think of downloading movies.
But if you want to download movies, an open nearby wifi sounds close and convenient.
Isn’t that a scenario that is better?
If you stop trusting potentially insecure systems you start developing hard and solid ones.
I don’t worry about deepfakes or AI malware, I welcome it. It’s stupid that we have insecure systems like unencrypted emails, social security cards, unsigned documents, passwords in PIN codes alone, etc.
More components; recursive dependencies; more remote infrastructure; these are the directions the world is going, and the stuff we need to manage this complexity is not keeping up.
You can only fight it with fewer components, fewer recursive dependencies, and less remote infrastructure.
While at the same time, I believe the purpose of all things is to increase their entropy.
So… I think that is the next filter or natural selection for us. That we make this so complex we crash, or we get better.
From what I can see, Composer install methods use the same Gravity Forms API to fetch the install package as the auto-update feature within the plugin. Their WP-CLI plugin uses the same mechanism too.
It will be interesting to see if the Gravity Forms developers engage a third party security firm to investigate this incident. So far they have not mentioned it.
[0] https://www.gravityforms.com/blog/security-incident-notice/
Phew.
Nonce is also British slang for alleged or convicted sex offenders, especially ones involving children.
At least that way it stops me from making childish jokes.
I've never been happier to just, check, before clicking a submit button.
The most recent update at the top of the page should probably be "Update 7-12-2025 06:00 UTC" instead of the current future date of 08-11-2025. I think the author incremented the wrong digit.
Gravity Forms is a very popular premium WordPress plugin.
I maintain a handful of WordPress sites (wouldn't have been my choice of platform but whatever) and the design and functionality of Gravity Forms is better than most (aside from it being CPU-hungry). It doesn't generally give me trouble and as a developer I've been happy with how Rocket Genius have interacted with me when I've filed trouble tickets.
A pretty substantial number of small and mid-tier orgs have Gravity Forms installed. I don't know the numbers — the wordpress.org popularity stats mainly reflect installation of free plugins not premium — but there should be a lot of sites handling a lot of traffic.
EDIT: That's the number of sites which could have been affected. Fortunately only a small number of sites actually got the compromised package because it didn't enter the main automatic distribution chain.
> The Gravity API service that handles licensing, automatic updates, and the installation of add-ons initiated from within the Gravity Forms plugin was never compromised. All package updates managed through that service are unaffected.
I didn’t see anything in the article but I may have missed it.
Web forms and especially the business logic powering them in the backend can quickly become very complex. Just check out some templates you get out of the box https://www.gravityforms.com/form-templates/
I don’t use Wordpress, but this seems like an actively developed, supported, quality plug-in.
This entitled assumption that nothing should cost money up front is hurting everyone in they long run because it drives developers into monetising using ads and invasive tracking.
For many people with Wordpress sites they’re going to spend way more than that having someone setup the forms for them.
[0] https://docs.gravityforms.com/gravityforms-change-log/
It also would be a lot less useful. A lot of content is published through WordPress.
I suspect an effective approach would be encouraging ways to make WP more secure, or publish a secure platform that can easily be transitioned from WP.
https://www.gravityforms.com/blog/security-incident-notice/