- Ongoing cyberattack compromises BuddyBoss update system
- Malicious updates steal admin credentials, Stripe keys, and databases
- Hundreds of sites already hit; thousands more at risk, admins urged to disable auto-updates and rotate credentials
A major cyberattack against websites running the BuddyBoss WordPress plugin is currently ongoing, and users are urged to secure their assets or risk complete compromise and website takeover.
BuddyBoss is a WordPress platform and theme people can use to create online communities, membership sites, and e-learning platforms. It apparently has 50,000 customers, including 27,000 BuddyBoss Platform and BuddyBoss Theme package users.
According to Cybernews, an unidentified French-speaking threat actor somehow broke into the system that delivers software updates for BuddyBoss. There, they used Claude to help write malicious code and figure out how to push it to the update server.
Hundreds of compromised sites
Popular AI tools such as Claude have strict guardrails that prevent this kind of abuse, but the attackers managed to trick it (likely by pretending it’s a harmless hacking challenge).
After managing to insert malware into the updates, they simply waited for users to install them, compromising their websites in the process. This attack was first spotted on March 19, it was said. The malware was designed to steal admin passwords and API keys, copy entire databases, and open a backdoor to grant remote control access.
According to Cybernews, some of the data already stolen in the campaign includes Stripe payment keys, making this campaign particularly worrisome.
Compromised versions are BuddyBoss Platform 2.20.3, and BuddyBoss Theme 2.19.2. All website admins using any of these are urged to temporarily disable automatic updates, revert to server backups made before updating to these versions, and then analyze their server logs for potential indicators of compromise. Finally, all passwords, API tokens, and other credentials, should be rotated as soon as possible.
Cybernews says “hundreds of websites” have already been compromised, with “thousands” more remaining in danger. At press time, at least 309 websites have had their credentials and databases exfiltrated.
Via Cybernews
