Proprietary 2026-03-17 · 7 days ·Backdoor, Credential Theft, Data Exfiltration, Remote Code Execution

BuddyBoss updates backdoored WordPress sites

Attackers used stolen BuddyBoss infrastructure secrets to publish backdoored Platform and Theme updates through the trusted Caseproof update path. Hundreds of WordPress sites exposed credentials, databases, and payment keys.

Story

BuddyBoss was compromised at the update pipeline, not at each customer site. The attacker already had access to BuddyBoss GitHub organization resources before the public timeline begins. A malicious GitHub Actions workflow ran under a legitimate developer identity and exfiltrated runner tokens, SSH keys, application secrets, and the Caseproof Mothership API key.

Those secrets opened the publishing path. The attacker used SSH access to BuddyBoss infrastructure, reached root on an AWS publishing server, and used the appcenter_key to talk to the Caseproof licensing system at licenses.caseproof.com. Cloudflare blocked the large multipart upload, so the attacker found the Heroku origin behind Cloudflare and uploaded directly with the correct Host header.

The malicious artifacts were normal-looking BuddyBoss updates. BuddyBoss Platform was published as version 2.20.3, with later reporting showing a malicious 2.20.4 as well. BuddyBoss Theme was published as 2.19.2. Each package changed one core PHP file: bp-loader.php in the platform plugin and functions.php in the theme.

The backdoors stole WordPress database credentials, secret keys, environment variables, plugin lists, user counts, and server data. They also exposed command execution, file read, reverse shell, and later standalone webshell paths. Ctrl-Alt-Intel recovered C2 logs from 246 or more victim sites; Cybernews reported 309 compromised sites and live Stripe keys among the stolen data.

Affected Artifacts

BuddyBoss Platform

wordpress · buddyboss.com · Plugin

Observed: 2026-03-17 to 2026-03-24
Compromised Versions: 2.20.3

2.20.4
Fixed: Not listed
Evidence: distribution: buddyboss.com/platform, distribution: licenses.caseproof.com, file: bp-loader.php, file_sha256: bp-loader.php ddda12b545a7b817883641421cf6a213f4c5100effa40cdb55018efce11bbe42 , +10 more

Cybernews initially identified BuddyBoss Platform 2.20.3 as compromised; Ctrl-Alt-Intel later reported that the attacker deployed a malicious 2.20.4 with additional execution methods and a standalone webshell.
The malicious package was reportedly prepared from a clean 2.13.1 package and uploaded as a newer production release.

BuddyBoss Theme

wordpress · buddyboss.com · Theme

Observed: 2026-03-17 to 2026-03-24
Compromised Versions: 2.19.2
Fixed: Not listed
Evidence: distribution: buddyboss.com/wordpress-themes/buddyboss-theme, distribution: licenses.caseproof.com, file: functions.php, file_sha256: functions.php 5027a0e77eca13a5cc120d3e37262c4073452569ad341cd1558051b5a91ce144 , +5 more

Ctrl-Alt-Intel reported the theme upload completed around 19:15 UTC on March 17, 2026 and was verified live on the official Caseproof CDN.

Incident Context

Motive: Credential Theft
Cause: Compromised Credentials
Transitive: No
Actor: Unknown French-speaking attacker
User Impact: 309

External References

BuddyBoss platform compromised, hundreds of websites already hackedcybernews.com
The BuddyBoss Attack: Claude's Supply-Chain Attackctrlaltintel.com
The BuddyBoss Attack: Full Incident Analysisctrlaltintel.com
BuddyBoss Platform Compromised as Hundreds of Websites Are Hackedsecurityboulevard.com
BuddyBoss supply chain attackthreats.wiz.io

Source record: proprietary/buddyboss/meta.yaml