The BuddyBoss campaign (Parts 1 & 2) represents a full-spectrum software supply chain attack against the WordPress ecosystem, where the threat actor compromised the BuddyBoss plugin/theme distribution pipeline and leveraged it to infect hundreds of downstream websites. The initial phase (BuddyBoss-1) focused on gaining access to the vendor’s infrastructure and update mechanism, likely via compromised credentials or internal access, enabling the attacker to tamper with legitimate release artifacts. The follow-on phase (BuddyBoss-2) operationalized this access by distributing trojanized updates through the trusted update channel, effectively turning routine plugin updates into a mass infection vector.
The malicious updates embedded server-side PHP backdoors that executed within the WordPress runtime, enabling credential harvesting, database exfiltration, and persistent remote access. The attacker deployed reverse shell capabilities and centralized exfiltration infrastructure, allowing them to manage victims, collect sensitive data (including admin credentials and API/payment keys), and maintain ongoing control. Evidence from the campaign also indicates AI-assisted development (e.g., use of Claude) to accelerate payload creation and operational workflows, marking a shift toward semi-automated supply chain abuse.