Malware used to be pretty obvious for performance penalties.

But we are getting so much faster, and networks are doing so much weird inscrutable stuff now that it’s a lot harder at baseline. And, of course, the baddies are getting sneakier, too, and we are building systems from more components from more diverse sources.

I worry about the long term picture a lot; does all of infrastructure become a little untrustworthy at baseline?

I’m from a technical background and so I understand this but being a Brit sentences like this are always funny to me

Of course the author got confused about which number means which. This is what you deserve when you use US dates but try to make them look like ISO by using dashes, but still fuck up the ordering and padding.

Somewhere in between.

Gravity Forms is a very popular premium WordPress plugin.

I maintain a handful of WordPress sites (wouldn't have been my choice of platform but whatever) and the design and functionality of Gravity Forms is better than most (aside from it being CPU-hungry). It doesn't generally give me trouble and as a developer I've been happy with how Rocket Genius have interacted with me when I've filed trouble tickets.

A pretty substantial number of small and mid-tier orgs have Gravity Forms installed. I don't know the numbers — the wordpress.org popularity stats mainly reflect installation of free plugins not premium — but there should be a lot of sites handling a lot of traffic.

EDIT: That's the number of sites which could have been affected. Fortunately only a small number of sites actually got the compromised package because it didn't enter the main automatic distribution chain.

seemingly small amount of sites that manually downloaded that version from the site as opposed to 'most' that get premium(paid) update files through their API gateway (that I think calls file from AWS).

> The Gravity API service that handles licensing, automatic updates, and the installation of add-ons initiated from within the Gravity Forms plugin was never compromised. All package updates managed through that service are unaffected.

"The infection does not seem to be widespread, which could mean that the backdoored plugin was only available for a very short period of time and only delivered to a small number of users."

Could have been a compromised CI pipeline like Jenkins or a developer machine with a malware infection.

Do you allow permissive outgoing Internet traffic from your servers? To domains recently created? This malware is for you.

Ten bucks says it's prompt hijacking an LLM being used to code and reference docs.

Why do you think so? $259 is less than a day’s worth of freelance invoice by the hour.

Web forms and especially the business logic powering them in the backend can quickly become very complex. Just check out some templates you get out of the box https://www.gravityforms.com/form-templates/

I don’t use Wordpress, but this seems like an actively developed, supported, quality plug-in.

This entitled assumption that nothing should cost money up front is hurting everyone in they long run because it drives developers into monetising using ads and invasive tracking.

WordPress usecases are wider than most people expect.

Definitely all 3.

$259 is dirt cheap for a tool that does what you want:need.

For many people with Wordpress sites they’re going to spend way more than that having someone setup the forms for them.

It’s GPLv2+ so you can grab a copy from a friend legally for free and vibe code around the possible copy protections.

[dead]

It's in the title? It's the official GravityForms plugin, supposedly version 2.9.13 fixes the issue, but the changelog [0] doesn't even mention the breach.

[0] https://docs.gravityforms.com/gravityforms-change-log/