[HN Gopher] Malware found in official gravityforms plugin indica...
___________________________________________________________________
Malware found in official gravityforms plugin indicating supply
chain breach
Author : taubek
Score : 183 points
Date : 2025-07-12 06:41 UTC (16 hours ago)
(HTM) web link (patchstack.com)
(TXT) w3m dump (patchstack.com)
| mpol wrote:
| Using a nonce before checking the form would have prevented much
| of the problems described. Or stated differently, it would
| suddenly require lots of manual labour.
| jimjambw wrote:
| I'm from a technical background and so I understand this but
| being a Brit sentences like this are always funny to me
| theglenn88_ wrote:
| Not On Normal Courtyard Exercise
| stuartjohnson12 wrote:
| Basically A Creative Kind of Reverse Origin Naming You Make
| astura wrote:
| For those who didn't understand this comment (like me)
|
| Nonce is also British slang for alleged or convicted sex
| offenders, especially ones involving children.
| 4ndrewl wrote:
| Makes some discussions with non-technical stakeholders
| interesting.
| mijoharas wrote:
| I always just call them "n-once" and I read it that way
| too (which I think is what it comes from right? Number
| you use once?).
|
| At least that way it stops me from making childish jokes.
| MarkusQ wrote:
| That's why you should call them pervs (per-instance
| values).
| darknavi wrote:
| Why not pedos (pedantic objects)?
| projektfu wrote:
| > put nonces on form > all spam, normal traffic gone >
| received e-mail complaint from sex offender registry
| because i am downloading too many images
| giingyui wrote:
| Should say what plugin it is.
| Etheryte wrote:
| It's in the title? It's the official GravityForms plugin,
| supposedly version 2.9.13 fixes the issue, but the changelog
| [0] doesn't even mention the breach.
|
| [0] https://docs.gravityforms.com/gravityforms-change-log/
| giingyui wrote:
| The way it's worded in the article it sounds like there are
| multiple plugins available in that domain.
|
| > one of the plugins that they are trying to download from
| the official gravityforms.com domain
|
| It's common for certain plugins to have... plugins of their
| own. For example if you have a form created with gravityforms
| and you want to connect it to a CRM or something, there is a
| screen inside the plugin settings to install it. Which is why
| I asked. (I don't know if that's the case with gravityforms.)
| redrove wrote:
| Honestly it still required a web search on my part to figure
| out it's a WordPress plugin. That should be in the title.
| autoexec wrote:
| Any time I read the words vulnerable and plugin I just
| assume WordPress is involved somehow. I'm convinced that
| the internet would be instantly more secure if the entire
| platform died off.
| ChrisMarshallNY wrote:
| It would.
|
| It also would be a lot less useful. A _lot_ of content is
| published through WordPress.
|
| I suspect an effective approach would be encouraging ways
| to make WP more secure, or publish a secure platform that
| can easily be transitioned from WP.
| d0mine wrote:
| Wordpress dominates internet outside megacorps. There are
| a lot of security issues but there is a lot of utility
| too.
| swang wrote:
| you're not suppose to editorialize or change the title per
| HN rules.
| rectang wrote:
| There's a blog post about the incident:
|
| https://www.gravityforms.com/blog/security-incident-notice/
| neomantra wrote:
| I really appreciate that this supply breach was discovered by a
| diligent system operator (tracking a slow HTTP request).
|
| Similarly, the xz breach was uncovered by a diligent developer
| looking at quirky SSH login performance regressions.
| mlyle wrote:
| Malware used to be pretty obvious for performance penalties.
|
| But we are getting so much faster, and networks are doing so
| much weird inscrutable stuff now that it's a lot harder at
| baseline. And, of course, the baddies are getting sneakier,
| too, and we are building systems from more components from more
| diverse sources.
|
| I worry about the long term picture a lot; does all of
| infrastructure become a little untrustworthy at baseline?
| SV_BubbleTime wrote:
| > I worry about the long term picture a lot; does all of
| infrastructure become a little untrustworthy at baseline?
|
| Isn't that a scenario that is better?
|
| If you stop trusting potentially insecure systems you start
| developing hard and solid ones.
|
| I don't worry about deepfakes or AI malware, I welcome it.
| It's stupid that we have insecure systems like unencrypted
| emails, social security cards, unsigned documents, passwords
| in PIN codes alone, etc.
| mlyle wrote:
| I think what I am describing is worse. I have a harder and
| harder time as software and the resultant supply chain
| surface grows. And my chance to filter, monitor, validate,
| and audit software gets correspondingly worse as systems do
| more and more.
|
| More components; recursive dependencies; more remote
| infrastructure; these are the directions the world is
| going, and the stuff we need to manage this complexity is
| not keeping up.
| marcosdumay wrote:
| Hum... If you try to fight the stuff on your first
| paragraph with more of anything, you'll lose every single
| time.
|
| You can only fight it with fewer components, fewer
| recursive dependencies, and less remote infrastructure.
| bee_rider wrote:
| Wasn't that supposed to be the default assumption? The bad
| guys start just after your network interface.
|
| This was the argument against WiFi encryption in the old days
| (who cares about WiFi encryption, the network is assumed
| evil, so _your messages_ should be encrypted rendering WiFi
| security moot). Which actually seemed pretty compelling to
| me. Nowadays, of course, someone will hop on your WiFi and
| download a bunch of movies without authorization, giving you
| copyright headaches. But that's authentication...
| mlyle wrote:
| Sure-- but now everything has so many dependencies;
| dependencies are recursive, and the scope exceeds any
| reasonable audit. And at least getting lucky enough to spot
| malfeasance is getting less and less likely as performance
| and noise grows.
| alexchantavy wrote:
| Yeah that's what's called an assume breach/zero trust
| mindset. In a modern environment you can't rely on the
| network perimeter being a security boundary, so you need to
| minimize permissions (so that if an identity is hacked then
| the blast radius is reduced) and invest in detections and
| remediation plans.
| iambateman wrote:
| How is this even possible? Is the most likely explanation that a
| bad actor within GravityForms snuck something in?
|
| I didn't see anything in the article but I may have missed it.
| Y-bar wrote:
| Could have been a compromised CI pipeline like Jenkins or a
| developer machine with a malware infection.
| Hilift wrote:
| Do you allow permissive outgoing Internet traffic from your
| servers? To domains recently created? This malware is for you.
| doodlebugging wrote:
| Nice work to identify this malware and take action against it
| spreading. The article does have one small error though that made
| me do a double-take.
|
| The most recent update at the top of the page should probably be
| "Update 7-12-2025 06:00 UTC" instead of the current future date
| of 08-11-2025. I think the author incremented the wrong digit.
| blueflow wrote:
| Of course the author got confused about which number means
| which. This is what you deserve when you use US dates but try
| to make them look like ISO by using dashes, but still fuck up
| the ordering and padding.
| mmsc wrote:
| Popped by AB of Ac1dB1tch3z
| bhk wrote:
| What does this impact? 90% of sites on the internet? Just a
| couple of low-traffic sites?
| rectang wrote:
| Somewhere in between.
|
| Gravity Forms is a very popular premium WordPress plugin.
|
| I maintain a handful of WordPress sites (wouldn't have been my
| choice of platform but whatever) and the design and
| functionality of Gravity Forms is better than most (aside from
| it being CPU-hungry). It doesn't generally give me trouble and
| as a developer I've been happy with how Rocket Genius have
| interacted with me when I've filed trouble tickets.
|
| A pretty substantial number of small and mid-tier orgs have
| Gravity Forms installed. I don't know the numbers -- the
| wordpress.org popularity stats mainly reflect installation of
| _free_ plugins not premium -- but there should be a lot of
| sites handling a lot of traffic.
|
| EDIT: That's the number of sites which _could_ have been
| affected. Fortunately only a small number of sites actually got
| the compromised package because it didn 't enter the main
| automatic distribution chain.
| chuckreynolds wrote:
| seemingly small amount of sites that manually downloaded that
| version from the site as opposed to 'most' that get
| premium(paid) update files through their API gateway (that I
| think calls file from AWS).
|
| > The Gravity API service that handles licensing, automatic
| updates, and the installation of add-ons initiated from within
| the Gravity Forms plugin was never compromised. All package
| updates managed through that service are unaffected.
| rectang wrote:
| > _We also received a confirmation from one of the staff of
| RocketGenius that the malware only affects manual downloads and
| composer installation of the plugin._
|
| Phew.
___________________________________________________________________
(page generated 2025-07-12 23:00 UTC)