WordPress.org warned tonight that a few popular plugins (AddThis, WPtouch, and W3 Total Cache) for self-hosted WordPress blogs were suspiciously updated today. Upon closer inspection, the updates did not appear to come from the plugins’ respective authors and the changes made to the code included backdoors to allow others access to the site.
Since becoming aware of these attempts, WordPress has rolled back the changes, triggered updates, and froze the plugin repository to investigate further. In addition, all WordPress.org, bbPress.org, and Buddypress.org accounts have been reset so you’ll have to reset your password before you can post in the forums, bug tracker, or upload changes to themes or plugins.
Finally, if you possibly updated AddThis, WPtouch, or W3 Total Cache in the past day, you should immediately update the plugins to the latest version to replace the possibly infected versions of the plugins.
Pretty scary stuff, I wonder if we’ll find out how this was pulled off.