Siobhan McKeown has published a disturbing yet not out of the ordinary article that explains how a couple of plugins were recently added to the plugin repository that were using a version of J-Query from J-Query.org which after investigation proved to be a fake website. The purported J-Query file was actually propagating sites with CPA Infinity Affiliate Links. After the article was published, Otto responded in the comments to make note that the plugins were removed and the user who uploaded them has been banned. This is yet another reminder that the WordPress plugin repository is a powerful place to do naughty business for those that can get past a couple pair of eyeballs and not get noticed right away.
For the future, Otto recommends doing the following if you spot something malicious within a plugin on the repository:
Obviously malicious code doesn’t last long before somebody spots it (this one only lasted a week before somebody noticed, and it would have been removed that same day if anybody had reported it to us at email@example.com), but unintended security holes can become widely propagated for a longer period of time, leading to issues when hackers find and exploit them. So they are of a somewhat higher priority to find.
Apparently, reporting offending plugins to that email address gets swifter action than anything else. Although not related specifically to this story, I think it’s good to be reminded of June 21, 2011 when a number of suspicious commits were made to popular plugins after hackers gained access to the plugin repository. Thankfully, those commits were caught in a short period of time but there is no guarantee that they would catch them in time again.