Unknown attackers uploaded compromised Wordpress plugins to the repository

Today it became known that Wordpress.org changed access passwords for all users after several popular plugins were compromised by intruders. The Wordpress team discovered several plugins with third-party code included in the plugin structure. Someone (not authors) uploaded “updated versions” of plugins with malicious software enabled.

The service team acted fairly quickly, rolling back the plug-in versions, disabling the update for users, and cutting off users' access to the plugin repository (for the duration of the check).
')
Such well-known and popular plug-ins among users as AddThis, WPtouch and W3 Total Cache have been compromised. As a preventive measure, WordPress.org asks all WordPress.org users to change their passwords. This decision will not affect blogs on the WordPress platform, but will affect WordPress.org users. In order to access the WordPress forums, download the plugin or theme, you must change the password to a new one. The same applies to bbPress.org sites with BuddyPress.org.

By the way, this is not the first time Wordpress has become the target of cybercriminals. WordPress.com has already suffered from the actions of intruders in April of this year.

It seems that the WordPress.org team acted really fast enough, and so far no information has been received from users affected by the actions of the attackers.

Via wordpress.org